-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx_proxy: Adding support for TCP Proxy Protocol #3274
base: master
Are you sure you want to change the base?
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
Hi @agners, just wondering what would be the next step to get the PR merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not very familiar with the various proxy options/configurations, but wouldn't the first option documented in https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ to get the originating IP address more generic? (E.g. not using the RealIP module? 🤔 ).
nginx_proxy/config.yaml
Outdated
servers: str? | ||
proxyProtocol: | ||
enabled: bool | ||
realIpFrom: str? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this should support a list? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What field were you thinking?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can ask the user for a list, the Samba add-on has an example for it's allowed host list, syntax would be:
allow_hosts:
- str
I am not sure how to make this optional though. 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's definitely some improvements that can be done into how this addon is setup; will definitely take a look later to see about these other kind of changes as well.
Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍 |
Hmm it could be? Tbh i've been using $proxy_protocol_addr as that was being used in a couple of other examples with proxy protocol. |
There is also this note:
🤔 I am really not an expert in NGINX/Proxy setups. But I think if things can work without the RealIP module, it seems the better approach to me. |
This allows Nginx to support the TCP proxy protocol, this is useful if you still want to TLS terminate on the home-assistant host but you have another entrypoint for all your TLS connections (i.e. traefik is your entrypoint and you redirect from it to home-assistant based on the HTTPS domain being requested, this makes sure that any kind of network request to home-assistant remains encrypted).
What this allows is that home-assistant will know the true ip of the user making requests (making this change because I saw in the logs that there was a failed log-in but the ip pointed to my traefik instance).
Tested this by installing these changes as a local add-on on home-assistant.