Client IP not forwarded to services #380

New Issue

Closed

opened 2025-11-13 11:58:42 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2025-11-13 11:58:42 -06:00

Owner

Copy Link

Originally created by @FirmYn on GitHub (May 27, 2025).

Hi !
On the services deployed behind pangolin the user activity only shows private IP from newt tunnel.
There is some traefik plugins made for Cloudflare tunnels (which I do not use), that I tried without success. I don't find a lot of documentation on this subject, am I missing something ?

I am using pangolin 1.4.1 and the first version I deployed was the 1.1.0, if that helps :)

Example of activity on my jellyfin instance :

Originally created by @FirmYn on GitHub (May 27, 2025). Hi ! On the services deployed behind pangolin the user activity only shows private IP from newt tunnel. There is some traefik plugins made for Cloudflare tunnels (which I do not use), that I tried without success. I don't find a lot of documentation on this subject, am I missing something ? I am using pangolin 1.4.1 and the first version I deployed was the 1.1.0, if that helps :) Example of activity on my jellyfin instance : 

GiteaMirror closed this issue 2025-11-13 11:58:42 -06:00

GiteaMirror commented 2025-11-13 11:58:43 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (May 27, 2025):

Hi! It depends on how your target service is extracting the client IP. The actual IP of the packets from Newt will always be its IP because it is a TCP reverse proxy, but there are headers added by Traefik to provide the real client IP. For example, see the below output of an http GET request through Pangolin to containous/whoami. The X-Forwarded-For and X-Real-Ip headers provide the real client IP.

Hostname: 7fc073673a41
IP: 127.0.0.1
IP: ::1
IP: 172.17.0.3
RemoteAddr: 172.17.0.1:50730
GET / HTTP/1.1
Host: test.fosrl.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.5
Cookie: p_session_token_s.1748355702263=lr43yivmgqqqope53zgay7klzf6hyxos
Priority: u=0, i
Referer: https://p.fosrl.io/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 100.36.185.88
X-Forwarded-Host: test.fosrl.io
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 5c039251d853
X-Real-Ip: 100.36.185.88

@oschwartz10612 commented on GitHub (May 27, 2025): Hi! It depends on how your target service is extracting the client IP. The actual IP of the packets from Newt will always be its IP because it is a TCP reverse proxy, but there are headers added by Traefik to provide the real client IP. For example, see the below output of an http GET request through Pangolin to `containous/whoami`. The `X-Forwarded-For` and `X-Real-Ip` headers provide the real client IP. ``` Hostname: 7fc073673a41 IP: 127.0.0.1 IP: ::1 IP: 172.17.0.3 RemoteAddr: 172.17.0.1:50730 GET / HTTP/1.1 Host: test.fosrl.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.5 Cookie: p_session_token_s.1748355702263=lr43yivmgqqqope53zgay7klzf6hyxos Priority: u=0, i Referer: https://p.fosrl.io/ Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-site Te: trailers Upgrade-Insecure-Requests: 1 X-Forwarded-For: 100.36.185.88 X-Forwarded-Host: test.fosrl.io X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: 5c039251d853 X-Real-Ip: 100.36.185.88 ```

GiteaMirror commented 2025-11-13 11:58:43 -06:00

Author

Owner

Copy Link

@FirmYn commented on GitHub (May 28, 2025):

Thanks a lot, I was completely misunderstanding how it works !

@FirmYn commented on GitHub (May 28, 2025): Thanks a lot, I was completely misunderstanding how it works !

GiteaMirror commented 2025-11-13 11:58:43 -06:00

Author

Owner

Copy Link

@tuandatdavid commented on GitHub (Jun 7, 2025):

Thanks a lot, I was completely misunderstanding how it works !

sorry, for reviving this old issue, but did you solve this? Or you just learned to live with it?

@tuandatdavid commented on GitHub (Jun 7, 2025): > Thanks a lot, I was completely misunderstanding how it works ! sorry, for reviving this old issue, but did you solve this? Or you just learned to live with it?

GiteaMirror commented 2025-11-13 11:58:43 -06:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Jun 8, 2025):

@tuandatdavid target application needs to be able to pull the IP out of the headers of the request. See above response.

This is usually mostly application specific and is hard to give a general answer for - sorry!

@oschwartz10612 commented on GitHub (Jun 8, 2025): @tuandatdavid target application needs to be able to pull the IP out of the headers of the request. See above response. This is usually mostly application specific and is hard to give a general answer for - sorry!

GiteaMirror referenced this issue 2026-04-16 08:03:56 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #1422

GiteaMirror referenced this issue 2026-04-20 07:18:04 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #3364

GiteaMirror referenced this issue 2026-04-25 15:04:20 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #6218

GiteaMirror referenced this issue 2026-04-30 03:37:15 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #8186

GiteaMirror referenced this issue 2026-05-06 13:17:59 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #10183

GiteaMirror referenced this issue 2026-05-13 17:24:11 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #12227

GiteaMirror referenced this issue 2026-05-16 02:04:48 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #14307

GiteaMirror referenced this issue 2026-05-18 16:25:09 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #16402

GiteaMirror referenced this issue 2026-05-21 17:56:41 -05:00

[GH-ISSUE #380] HTTP header are not forwarded breaking OIDC for some apps #18509

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/qs-6.15.2

rdp-ssh

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#380