github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-05 19:18:16 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

Reverse-proxy IP used in logs instead of header X-Real-IP #2083

New Issue
Closed
opened 2026-03-22 13:55:18 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-03-22 13:55:18 -05:00
Owner
Copy Link

Originally created by @soda-pop-ice-cream on GitHub (Mar 6, 2025).

Description

I using vikunja installed with .deb-file with nginx as reverse-proxy. In vikunja logs all requests displayed like they coming from reverse-proxy, not from clients themselves(like X-Real-IP header not being used):

2025-03-06T10:16:39+07:00: WEB         ▶ 192.168.1.1  GET 304 /sw.js 111.091µs - Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0
2025-03-06T10:16:39+07:00: WEB         ▶ 192.168.1.1  GET 200 /api/v1/notifications?page=1 1.529827ms - Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
2025-03-06T10:16:43+07:00: WEB         ▶ 192.168.1.1  POST 200 /api/v1/user/token 864.794µs - Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0

Here is my nginx config:

server {
  server_name example.org;
  listen      80;

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;
  http2 on;

  server_name example.org;

  ssl_certificate /etc/ssl/nginx/example.pem;
  ssl_certificate_key /etc/ssl/nginx/example.key;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;
  ssl_protocols TLSv1.3;
  add_header Strict-Transport-Security "max-age=63072000" always;
  ssl_prefer_server_ciphers off;

  location / {
    proxy_pass http://127.0.0.1:3456;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

Vikunja Version

0.24.6

Browser and version

Firefox 135.0.1

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

Originally created by @soda-pop-ice-cream on GitHub (Mar 6, 2025). ### Description I using vikunja installed with .deb-file with nginx as reverse-proxy. In vikunja logs all requests displayed like they coming from reverse-proxy, not from clients themselves(like X-Real-IP header not being used): ``` 2025-03-06T10:16:39+07:00: WEB ▶ 192.168.1.1 GET 304 /sw.js 111.091µs - Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0 2025-03-06T10:16:39+07:00: WEB ▶ 192.168.1.1 GET 200 /api/v1/notifications?page=1 1.529827ms - Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0 2025-03-06T10:16:43+07:00: WEB ▶ 192.168.1.1 POST 200 /api/v1/user/token 864.794µs - Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0 ``` Here is my nginx config: ``` server { server_name example.org; listen 80; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; http2 on; server_name example.org; ssl_certificate /etc/ssl/nginx/example.pem; ssl_certificate_key /etc/ssl/nginx/example.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_protocols TLSv1.3; add_header Strict-Transport-Security "max-age=63072000" always; ssl_prefer_server_ciphers off; location / { proxy_pass http://127.0.0.1:3456; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` ### Vikunja Version 0.24.6 ### Browser and version Firefox 135.0.1 ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots _No response_
GiteaMirror commented 2026-03-22 13:55:19 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Mar 8, 2025):

This appears to be a deeper issue. I've just checked and I'm unable to reproduce the problem with

curl localhost:3456/api/v1/info -H 'X-Real-IP: 1.1.1.1'

1.1.1.1 shows up as remote ip, as expected.

However, on my running Vikunja instance, I see some requests with the actual client ip and some with a local ip. Next step would be to log the headers to figure out where this is coming from.

@kolaente commented on GitHub (Mar 8, 2025): This appears to be a deeper issue. I've just checked and I'm unable to reproduce the problem with ``` curl localhost:3456/api/v1/info -H 'X-Real-IP: 1.1.1.1' ``` 1.1.1.1 shows up as remote ip, as expected. However, on my running Vikunja instance, I see some requests with the actual client ip and some with a local ip. Next step would be to log the headers to figure out where this is coming from.
GiteaMirror commented 2026-03-22 13:55:19 -05:00
Author
Owner
Copy Link

@soda-pop-ice-cream commented on GitHub (Mar 8, 2025):

@kolaente I'm really sorry but that's misconfiguration on my end, I had proxy enabled in firefox. It was using that same server where vikunja lives. I tried same curl as you and seen real client IP in vikunja logs, then asked gpt to write python script that'll run webserver and print headers, digged a bit deeper and found proxy. 🫠
Feel free to close this.

@soda-pop-ice-cream commented on GitHub (Mar 8, 2025): @kolaente I'm really sorry but that's misconfiguration on my end, I had proxy enabled in firefox. It was using that same server where vikunja lives. I tried same curl as you and seen real client IP in vikunja logs, then asked gpt to write python script that'll run webserver and print headers, digged a bit deeper and found proxy. 🫠 Feel free to close this.
GiteaMirror commented 2026-03-22 13:55:20 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Mar 9, 2025):

From my debugging, it seems like Vikunja uses the headers correctly. Seems to be an issue with the proxy in front of it.

@kolaente commented on GitHub (Mar 9, 2025): From my debugging, it seems like Vikunja uses the headers correctly. Seems to be an issue with the proxy in front of it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
Mirrored from GitHub Pull Request
 question
security
support
upstream issue
waiting for reply
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#2083
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?