mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 05:57:27 -05:00
[GH-ISSUE #2597] enhance(badger): Expose configuration options for badger@http middleware #23488
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Christopher87R on GitHub (Mar 4, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2597
Describe the Bug
The log files do not show the user's IP address, but rather that of the Docker host. Basically, I have a standard
setup: Cloudflare Tunnel (proxy) - VM with Docker-based Pangolin and Traefik.
In Traefik, the forwardedHeaders: trustedIPs are configured and pangolin server has trust_proxy: 2 configured. If I use the fork github.com/hajimAIM/badger in version v1.2.1 instead of the badger traefik plugin github.com/fosrl/badger v1.3.1, it works as expected.
Environment
To Reproduce
docker-compose.yml
config.yml
traefik_config.yml
dynamic_config.yml
Expected Behavior
I would expect my IPv4 (or IPv6, if applicable) address to be in the log file and also at Whoami under X-Real-Ip.
I would expect my IPv4 (or IPv6, if applicable) address to appear in the log file and also under X-Real-Ip in Whoami. This seems to work when I use the fork github.com/hajimAIM/badger in version v1.2.1 for Badger. However, I then have to deactivate the middleware.
@Christopher87R commented on GitHub (Mar 10, 2026):
Could you please check this or can anybody help me with this issue?
@LaurenceJJones commented on GitHub (Mar 10, 2026):
when setting the trust proxy level, did you ensure to bring down the stack (ensure the pangolin network is removed) then bring it all back up?
This is not just a pangolin problem many traefik users in general have issues with the docker-proxy causing problems with real ip.
also stating "standard setup" is not correct, we generally dont suggest you put pangolin behind a reverse proxy (cloudflared is a tunneled reverse proxy) as it should be exposed to be the gateway ingress.
@AstralDestiny commented on GitHub (Mar 10, 2026):
@AstralDestiny commented on GitHub (Mar 10, 2026):
If using cloudflared inspect your docker network and remove all the cloudflare v4/v6 and just put the docker ip range of cloudflared or the ipam you set for it.
docker inspect cloudflared, Find it's network name, docker network inspect
If it's on a different host then trust that host like 10.0.0.5/32
@Christopher87R commented on GitHub (Mar 10, 2026):
Sure, I did a docker compose up -d --force-recreate
It works when I use github.com/hajimAIM/badger in version v1.2.1 - So I was surprised and assume that it is a bug.
I did exactly as you suggested and only entered the relevant IPs. Unfortunately, this did not work, and I still have the same problem.
By the way, the Cf-Connecting-Ip is deleted - whoami no longer displays it when I have Pangolin in between.
For CF Tunnel - Traefik - whoami, it works.
@Christopher87R commented on GitHub (Mar 11, 2026):
I have now tried everything again and unfortunately without success. I also looked at the source code and since the Cf-Connecting-Ip header is deleted, isTrusted does not seem to be true - for whatever reason. Perhaps the trusted IP list is not being applied?
@Christopher87R commented on GitHub (Mar 12, 2026):
I have now explicitly set the IP ranges:
and adjusted the list of IPs accordingly:
Still no success, the visitor's real IP is never displayed.
@Christopher87R commented on GitHub (Mar 13, 2026):
I have now done the following (perhaps a little rough and ready, but it works).
My Traefik config now uses Badger's locale plugin (to incorporate debug output).
I also have set the CF-Tunnel IP
This works, and I have now incorporated the following output into the .go file:
The settings do not seem to be applied, because I get the following in the Traefik log file:
The strange thing is that after restarting Traefik, the following is briefly visible:
So something is going wrong here. Do you have any idea what it is and how I can narrow it down further? Unfortunately, I'm not really familiar with Go or a setup that would allow me to debug it.
Update: When I add the IP to the default IPs in ips.go, everything works fine.
It seems as if the IP list is always overwritten by the default IP list. This happens even when I explicitly deactivate the default IPs.
Am I doing something wrong in the settings?
@miloschwartz is this more a Badger bug?
@Christopher87R commented on GitHub (Mar 25, 2026):
Could someone please take a look at this? To me, this clearly looks like a defect (see the analysis of the last 3 posts)
@LaurenceJJones commented on GitHub (Mar 25, 2026):
As noted previously, Pangolin behind a reverse proxy is not a supported deployment method. For that reason, the issue being reported would not be classified as a defect in Pangolin, as the setup is outside the supported configuration.
Relevant code reference:
67ad9b651e/main.go (L403-L428)Looking at the current implementation, Badger’s realip handling is fairly limited and does not fully support the reverse lookup logic that would be needed here.
The most practical workaround would be to define a custom header such as X-Real-Ip, which Cloudflare should already be setting. Otherwise, if you can avoid using a plugin that removes the CF-Connecting-Ip header, the existing fallback logic should allow it to work.
Just note that the badger you define here is not the badger that is used in resources (this also caught me out recently), which is probably adding to the confusion as Pangolin defines
badger@httpnotbadger@filethat gets the configuration from theconfig.yamlthat pangolin defines and such it only have the trust integer.@LaurenceJJones commented on GitHub (Mar 25, 2026):
Editting looking back up, so on the traefik configuration you defined the trusted headers on both http and https entrypoints (even though your behind CF tunnel so https should basically be disabled)?
@Christopher87R commented on GitHub (Mar 26, 2026):
Yep, I defined it or both, http and https. Shouldn't http be disabled basically?
How can I define the config for badger@http?
@LaurenceJJones commented on GitHub (Mar 26, 2026):
You cant and thats the issue because if you was doing typically cloudflare proxying (to public IP 80/433 port) we load the default cloudflare ranges and it works, but since its CF tunnel we have noway currently to define this for
badger@http.@github-actions[bot] commented on GitHub (Apr 10, 2026):
This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.