-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Randomly receiving proxy IP as X-Forwarded-For header using Traefik or Caddy #3436
Comments
💎 $50 bounty • algora0Steps to solve:
Thank you for contributing to coollabsio/coolify! |
Are you sure the request where you do not seem to get the right IP are not just internal request in coolify? For example the healthcheck of your container? |
@peaklabs-dev Yes, it has been verified that those are attached to users. Edit: removed a comment that could me misleading, check out fa-sharp answer for the solution. |
This was too much of a pressing issue for me, so in the meantime I've disabled the Coolify-managed proxy and apt-installed Nginx that I configured manually. Sadly, I loose load balancing and rolling releases, so a fix would still be much appreciated. |
same issue |
So this was on the host machine and it worked well. Then I migrated Nginx to a container again and had the exact same issue. So I guess this is not an issue with Coolify's handling of proxies specifically, but something about Coolify's Docker network or Docker in general that I don't understand. |
@toverux Don't know if you've resolved the issue or not, but I was running into a similar issue and I realized it was related to IPv6. Any client connecting with an IPv6 address was not getting their IP address correctly through and showed up with an internal/Docker IP address. There are various threads here and there on the issues with Docker and IPv6, but I was able to use the official docs to get this resolved. Basically there are 2 choices: remove and recreate the Coolify network with IPv6 enabled, or edit the (Note I'm not using Cloudflare tunnels or anything like that) |
@fa-sharp No, I was not able to solve it and it's still an issue for me, so, many thanks for you investigation! |
It works! Changing the daemon settings did not work for me even after a hard reboot, so I had to remove each container attached to the coolify network, then delete it, and recreate it with IPv6 enabled. Then I had to redeploy manually each Coolify-managed app so they'd be attached to the new network. So, it would be nice if Coolify created its network with IPv6 enabled! |
Glad to hear that worked! I think there might be internet providers and devices that don't support IPv6, which is probably why it isn't the default. I just wish Docker made it a lot more straightforward to toggle it. I'm hoping that the container/network management mentioned in #2495 would have a setting for IPv6. |
Description
Edit: The issue is caused by Coolify not using an IPv6 network, so you get proxy IP for IPv6 users. You can solve this manually: #3436 (comment)
I'm leaving the issue open to signify that the issue is not solved at Coolify's level, but feel free to close when a more focused issue is created.
Hello!
I am having an issue with Traefik and Caddy proxies where they frequently (and kinda randomly) send me a forwarded-for IP address header that is actually a proxy local IP.
Ex.
["172.18.0.2", "xxx.xxx.xxx.xxx"]
with the first IP being a proxy IP, second is the end user IP, and I have the rightX-Forwarded-For
header.["172.18.0.2", "172.18.0.1"]
withX-Forwarded-For
being the second and "wrong" IP.I tried adding
traefik.entryPoints.http.forwardedHeaders.insecure=true
to my project's Traefik config to see if it would just forward headers as-is, but it didn't change a thing.I use pretty much all the defaults coming with a proxy install, didn't change anything. This is the project's config:
I have no load balancing between server, both the proxy and the projects are on the same machine, one running instance only.
I'm completely unfamiliar with the stack (Coolify, Docker, Traefik, Caddy, etc) so I don't know where to look. I posted in the Discord, but no one was able to help.
I thought this is a serious enough bug though (and blocking, for me), since it makes us unable to track users' IPs (I need this for rate limiting and IP-banning), so I thought I could post an issue here.
Minimal Reproduction (if possible, example repository)
console.log(req.ip)
with proxy headers trusting enabled in your application's HTTP router.Exception or Error
No response
Version
4.0.0-beta.332
Cloud?
The text was updated successfully, but these errors were encountered: