[GH-ISSUE #2357] Add trustip config option for Badger middleware (needed for Cloudflare Tunnel / local proxies) #17130

Closed
opened 2026-05-18 17:34:14 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @uwuceo on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2357

Describe the Bug

I'm running Pangolin behind a cloudflared container (Cloudflare Tunnel). Badger is not correctly extracting the real client IP — it uses the cloudflared container's Docker IP instead of the value in CF-Connecting-IP.

Root cause:

Pangolin generates the Badger middleware config in TraefikConfigManager.ts without a trustip option. This means only the default Cloudflare edge IPs are trusted. When using Cloudflare Tunnel, requests arrive from cloudflared's local Docker IP (e.g., 172.20.0.11), which isn't in the Cloudflare IP ranges — so CF-Connecting-IP is ignored.

My dynamic_config.yml has a separate Badger middleware with trustip: ["172.16.0.0/12"], but routes generated by Pangolin use badger@http (from the HTTP provider), not badger@file.
Debug output showing the issue (I added some debug logging):

DEBUG RemoteAddr: 172.20.0.11:45638
DEBUG isTrusted: false
DEBUG CF-Connecting-IP: x.x.x.x
DEBUG trustIP count: 22

The 22 trusted IPs are the default Cloudflare ranges from ips/ips.go, not my custom config.
Suggested fix:
Add a badger.trustip option to config.yml that gets passed through to the generated middleware in TraefikConfigManager.ts.

Environment

  • OS Type & Version: Debian 13
  • Pangolin Version: 1.15.1
  • Gerbil Version: 1.3.0
  • Traefik Version: 3.6.7
  • Newt Version: 1.9.0
  • Badger Version: 1.3.1

To Reproduce

  1. Deploy Pangolin behind a Cloudflare Tunnel (cloudflared container in the same Docker network)
  2. Access any Pangolin-managed resource through the tunnel
  3. Check Traefik logs — Badger's isTrusted is false for requests because RemoteAddr is the cloudflared container's Docker IP (e.g., 172.20.0.11), not a Cloudflare edge IP
  4. The real client IP in CF-Connecting-IP is ignored, and the Docker IP is used instead

Expected Behavior

Badger should trust the cloudflared container's IP and extract the real client IP from CF-Connecting-IP.

Adding a custom Badger middleware with trustip: ["172.16.0.0/12"] in dynamic_config.yml doesn't help because Pangolin-generated routes use badger@http, not badger@file.

Originally created by @uwuceo on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2357 ### Describe the Bug I'm running Pangolin behind a cloudflared container (Cloudflare Tunnel). Badger is not correctly extracting the real client IP — it uses the cloudflared container's Docker IP instead of the value in `CF-Connecting-IP`. Root cause: Pangolin generates the Badger middleware config in `TraefikConfigManager.ts` without a `trustip` option. This means only the default Cloudflare edge IPs are trusted. When using Cloudflare Tunnel, requests arrive from cloudflared's local Docker IP (e.g., `172.20.0.11`), which isn't in the Cloudflare IP ranges — so `CF-Connecting-IP` is ignored. My `dynamic_config.yml` has a separate Badger middleware with `trustip: ["172.16.0.0/12"]`, but routes generated by Pangolin use `badger@http` (from the HTTP provider), not `badger@file`. Debug output showing the issue (I added some debug logging): ``` DEBUG RemoteAddr: 172.20.0.11:45638 DEBUG isTrusted: false DEBUG CF-Connecting-IP: x.x.x.x DEBUG trustIP count: 22 ``` The 22 trusted IPs are the default Cloudflare ranges from `ips/ips.go`, not my custom config. Suggested fix: Add a `badger.trustip` option to `config.yml` that gets passed through to the generated middleware in `TraefikConfigManager.ts`. ### Environment - OS Type & Version: Debian 13 - Pangolin Version: 1.15.1 - Gerbil Version: 1.3.0 - Traefik Version: 3.6.7 - Newt Version: 1.9.0 - Badger Version: 1.3.1 ### To Reproduce 1. Deploy Pangolin behind a Cloudflare Tunnel (cloudflared container in the same Docker network) 2. Access any Pangolin-managed resource through the tunnel 3. Check Traefik logs — Badger's isTrusted is false for requests because RemoteAddr is the cloudflared container's Docker IP (e.g., 172.20.0.11), not a Cloudflare edge IP 4. The real client IP in CF-Connecting-IP is ignored, and the Docker IP is used instead ### Expected Behavior Badger should trust the cloudflared container's IP and extract the real client IP from CF-Connecting-IP. Adding a custom Badger middleware with trustip: ["172.16.0.0/12"] in dynamic_config.yml doesn't help because Pangolin-generated routes use badger@http, not badger@file.
Author
Owner

@github-actions[bot] commented on GitHub (Feb 12, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3887993650 --> @github-actions[bot] commented on GitHub (Feb 12, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
Author
Owner

@uwuceo commented on GitHub (Feb 12, 2026):

Not stale

<!-- gh-comment-id:3888026157 --> @uwuceo commented on GitHub (Feb 12, 2026): Not stale
Author
Owner

@r4tze commented on GitHub (Feb 17, 2026):

Same for me.
But I am using a NGINX proxy in front of pangolin.

<!-- gh-comment-id:3914872781 --> @r4tze commented on GitHub (Feb 17, 2026): Same for me. But I am using a NGINX proxy in front of pangolin.
Author
Owner

@oschwartz10612 commented on GitHub (Feb 25, 2026):

This is not supported, sorry!

<!-- gh-comment-id:3961883880 --> @oschwartz10612 commented on GitHub (Feb 25, 2026): This is not supported, sorry!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#17130