🐛 Bug Report: Audit log always display my Nginx Proxy Manager's IP #284

New Issue

Closed

opened 2025-10-09 16:37:00 +03:00 by OVERLORD · 28 comments

OVERLORD commented 2025-10-09 16:37:00 +03:00

Owner

Copy Link

Originally created by @LucasJanin on GitHub.

Reproduction steps

My Pocket-id is installed on an LXC on my Proxmox using Proxmox VE Helper Scripts

sudo bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)"

I added to my /opt/pocket-id/backend/.env

TRUST_PROXY=true
CADDY_DISABLED=true

Set up Nginx Proxy Manager to pocket-id with this Custom Nginx Configuration

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;

However, the IPs shown in the Audit Log are always the Nginx Proxy Manager's IP.

To ensure my Nginx Proxy Manager is set up correctly, I use this Docker:

sudo docker run -d --name httpbin -p 3000:80 kennethreitz/httpbin
http://localhost:3000/headers

Setup a new host in Nginx Proxy Manager with that same Custom Nginx Configuration

curl -H "X-Forwarded-For: 192.168.1.99" https://ip-echo.xxx.xx

{
  "path": "/",
  "headers": {
    "host": "ip-echo.xxx.xx",
    "x-forwarded-scheme": "https",
    "x-forwarded-proto": "https",
    "x-forwarded-for": "192.168.1.99, 192.168.1.30",
    "x-real-ip": "192.168.1.30",
    "user-agent": "curl/8.7.1",
    "accept": "*/*"
  },
  "method": "GET",
  "body": "",
  "fresh": false,
  "hostname": "ip-echo.xxx.xx",
  "ip": "192.168.1.99",
  "ips": [
    "192.168.1.99",
    "192.168.1.30"
  ],
  "protocol": "https",
  "query": {},
  "subdomains": [
    "ip-echo"
  ],
  "xhr": false,
  "os": {
    "hostname": "16727cfaf0b3"
  },
  "connection": {}
}

From my understanding, the Nginx Proxy Manager behaves as expected.

Expected behavior

Display the IP of the client

Actual Behavior

Display the reverse proxy IP (Nginx Proxy Manager)

Version and Environment

v0.43.1

Log Output

Mar 23 18:23:43 pocketid systemd[1]: Started pocketid-backend.service - Pocket ID Backend.
Mar 23 18:23:43 pocketid pocket-id-backend[151]: 2025/03/23 18:23:43 GeoLite2 City database is up-to-date.
Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 401 |      42.852µs |             ::1 | GET      "/api/users/me"
Mar 23 18:24:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 401 |       68.36µs |             ::1 | GET      "/api/users/me"
Mar 23 18:24:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 200 |     561.567µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 200 |      594.29µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 204 |     972.685µs |   192.168.1.130 | POST     "/api/webauthn/logout"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 204 |     1.00144ms |   192.168.1.130 | POST     "/api/webauthn/logout"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 401 |        68.7µs |             ::1 | GET      "/api/users/me"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 401 |      96.815µs |             ::1 | GET      "/api/users/me"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 200 |     210.698µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 200 |     223.225µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 |   17.786662ms |   192.168.1.130 | GET      "/api/webauthn/login/start"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 |     17.9478ms |   192.168.1.130 | GET      "/api/webauthn/login/start"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 401 |      73.103µs |             ::1 | GET      "/api/users/me"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 401 |     135.421µs |             ::1 | GET      "/api/users/me"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 |     303.105µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 |     323.395µs |             ::1 | GET      "/api/application-configuration"
Mar 23 18:25:41 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:41 | 200 |   26.723808ms |   192.168.1.130 | POST     "/api/webauthn/login/finish"
Mar 23 18:25:41 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:41 | 200 |   26.750483ms |   192.168.1.130 | POST     "/api/webauthn/login/finish"

Mar 23 18:23:43 pocketid node[152]: Listening on http://0.0.0.0:3000
Mar 23 18:23:43 pocketid systemd[1]: Started pocketid-frontend.service - Pocket ID Frontend.
-- Boot 1df66e57b6374cefa0fb970bb25184b7 --
Mar 23 18:22:42 pocketid systemd[1]: pocketid-frontend.service: Consumed 1.594s CPU time.
Mar 23 18:22:42 pocketid systemd[1]: Stopped pocketid-frontend.service - Pocket ID Frontend.
Mar 23 18:22:42 pocketid systemd[1]: pocketid-frontend.service: Deactivated successfully.
Mar 23 18:22:42 pocketid systemd[1]: Stopping pocketid-frontend.service - Pocket ID Frontend...

Originally created by @LucasJanin on GitHub. ### Reproduction steps My Pocket-id is installed on an LXC on my Proxmox using Proxmox VE Helper Scripts ``` sudo bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)" ``` I added to my `/opt/pocket-id/backend/.env` ``` TRUST_PROXY=true CADDY_DISABLED=true ``` Set up Nginx Proxy Manager to pocket-id with this Custom Nginx Configuration ``` proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; ``` However, the IPs shown in the Audit Log are always the Nginx Proxy Manager's IP. <img width="1224" alt="Image" src="https://github.com/user-attachments/assets/0619b8a6-26c6-4b50-b067-7e8627784a4b" /> To ensure my Nginx Proxy Manager is set up correctly, I use this Docker: ``` sudo docker run -d --name httpbin -p 3000:80 kennethreitz/httpbin http://localhost:3000/headers ``` Setup a new host in Nginx Proxy Manager with that same Custom Nginx Configuration ``` curl -H "X-Forwarded-For: 192.168.1.99" https://ip-echo.xxx.xx ``` ``` { "path": "/", "headers": { "host": "ip-echo.xxx.xx", "x-forwarded-scheme": "https", "x-forwarded-proto": "https", "x-forwarded-for": "192.168.1.99, 192.168.1.30", "x-real-ip": "192.168.1.30", "user-agent": "curl/8.7.1", "accept": "*/*" }, "method": "GET", "body": "", "fresh": false, "hostname": "ip-echo.xxx.xx", "ip": "192.168.1.99", "ips": [ "192.168.1.99", "192.168.1.30" ], "protocol": "https", "query": {}, "subdomains": [ "ip-echo" ], "xhr": false, "os": { "hostname": "16727cfaf0b3" }, "connection": {} } ``` From my understanding, the Nginx Proxy Manager behaves as expected. ### Expected behavior Display the IP of the client ### Actual Behavior Display the reverse proxy IP (Nginx Proxy Manager) ### Version and Environment v0.43.1 ### Log Output ``` Mar 23 18:23:43 pocketid systemd[1]: Started pocketid-backend.service - Pocket ID Backend. Mar 23 18:23:43 pocketid pocket-id-backend[151]: 2025/03/23 18:23:43 GeoLite2 City database is up-to-date. Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 401 | 42.852µs | ::1 | GET "/api/users/me" Mar 23 18:24:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 401 | 68.36µs | ::1 | GET "/api/users/me" Mar 23 18:24:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 200 | 561.567µs | ::1 | GET "/api/application-configuration" Mar 23 18:24:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:24:31 | 200 | 594.29µs | ::1 | GET "/api/application-configuration" Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 204 | 972.685µs | 192.168.1.130 | POST "/api/webauthn/logout" Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 204 | 1.00144ms | 192.168.1.130 | POST "/api/webauthn/logout" Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 401 | 68.7µs | ::1 | GET "/api/users/me" Mar 23 18:25:25 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 401 | 96.815µs | ::1 | GET "/api/users/me" Mar 23 18:25:25 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 200 | 210.698µs | ::1 | GET "/api/application-configuration" Mar 23 18:25:25 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:25 | 200 | 223.225µs | ::1 | GET "/api/application-configuration" Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 | 17.786662ms | 192.168.1.130 | GET "/api/webauthn/login/start" Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 | 17.9478ms | 192.168.1.130 | GET "/api/webauthn/login/start" Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 401 | 73.103µs | ::1 | GET "/api/users/me" Mar 23 18:25:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 401 | 135.421µs | ::1 | GET "/api/users/me" Mar 23 18:25:31 pocketid pocket-id-backend[151]: Error #01: You are not signed in Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 | 303.105µs | ::1 | GET "/api/application-configuration" Mar 23 18:25:31 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:31 | 200 | 323.395µs | ::1 | GET "/api/application-configuration" Mar 23 18:25:41 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:41 | 200 | 26.723808ms | 192.168.1.130 | POST "/api/webauthn/login/finish" Mar 23 18:25:41 pocketid pocket-id-backend[151]: [GIN] 2025/03/23 - 18:25:41 | 200 | 26.750483ms | 192.168.1.130 | POST "/api/webauthn/login/finish" ``` ``` Mar 23 18:23:43 pocketid node[152]: Listening on http://0.0.0.0:3000 Mar 23 18:23:43 pocketid systemd[1]: Started pocketid-frontend.service - Pocket ID Frontend. -- Boot 1df66e57b6374cefa0fb970bb25184b7 -- Mar 23 18:22:42 pocketid systemd[1]: pocketid-frontend.service: Consumed 1.594s CPU time. Mar 23 18:22:42 pocketid systemd[1]: Stopped pocketid-frontend.service - Pocket ID Frontend. Mar 23 18:22:42 pocketid systemd[1]: pocketid-frontend.service: Deactivated successfully. Mar 23 18:22:42 pocketid systemd[1]: Stopping pocketid-frontend.service - Pocket ID Frontend... ```

OVERLORD added the bug label 2025-10-09 16:37:00 +03:00

OVERLORD closed this issue 2025-10-09 16:37:01 +03:00

OVERLORD commented 2025-10-09 16:37:03 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Is the proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; under the location / section?

Edit: Disregard i see it is. Ill see if i can figure this out.

@kmendell commented on GitHub: Is the `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;` under the location / section? Edit: Disregard i see it is. Ill see if i can figure this out.

OVERLORD commented 2025-10-09 16:37:04 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

I dont see anywhere that this is being handled in the code, so this is most likley a Reverse proxy config issue. The TRUST_PROXY wont do anything since your disabling caddy so you can remove that. Id be curious to see if you used caddy instead of just nginx if it would show the correct ones, but my guess is nginx is just not forwarding those headers correctly somehow.

@kmendell commented on GitHub: I dont see anywhere that this is being handled in the code, so this is most likley a Reverse proxy config issue. The `TRUST_PROXY` wont do anything since your disabling caddy so you can remove that. Id be curious to see if you used caddy instead of just nginx if it would show the correct ones, but my guess is nginx is just not forwarding those headers correctly somehow.

OVERLORD commented 2025-10-09 16:37:05 +03:00

Author

Owner

Copy Link

@LucasJanin commented on GitHub:

I dont see anywhere that this is being handled in the code, so this is most likley a Reverse proxy config issue.

To double-check, in Nginx Proxy Manager, I just changed the IP and port of my pocketed configuration to point to the kennethreitz/httpbin container.

curl https://pocketid.xxx.xx/ip
{
  "origin": "192.168.1.30"
}

curl https://pocketid.xxx.xx/headers
{
  "headers": {
    "Accept": "*/*", 
    "Host": "pocketid.xxx.xx", 
    "User-Agent": "curl/8.7.1", 
    "X-Forwarded-Scheme": "https"
  }
}

I don't know if this means is working or not.

The TRUST_PROXY wont do anything since your disabling caddy so you can remove that.

Done. The issue is still present.

Id be curious to see if you used caddy instead of just nginx if it would show the correct ones, but my guess is nginx is just not forwarding those headers correctly somehow.

Thanks, I will give this a try.

@LucasJanin commented on GitHub: > I dont see anywhere that this is being handled in the code, so this is most likley a Reverse proxy config issue. To double-check, in Nginx Proxy Manager, I just changed the IP and port of my pocketed configuration to point to the kennethreitz/httpbin container. ``` curl https://pocketid.xxx.xx/ip { "origin": "192.168.1.30" } curl https://pocketid.xxx.xx/headers { "headers": { "Accept": "*/*", "Host": "pocketid.xxx.xx", "User-Agent": "curl/8.7.1", "X-Forwarded-Scheme": "https" } } ``` I don't know if this means is working or not. > The `TRUST_PROXY` wont do anything since your disabling caddy so you can remove that. Done. The issue is still present. > Id be curious to see if you used caddy instead of just nginx if it would show the correct ones, but my guess is nginx is just not forwarding those headers correctly somehow. Thanks, I will give this a try.

OVERLORD commented 2025-10-09 16:37:05 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

@LucasJanin are you using Docker/Podman for both Nginx and Pocket-ID? If yes, is it rootless or rootful?

@savely-krasovsky commented on GitHub: @LucasJanin are you using Docker/Podman for both Nginx and Pocket-ID? If yes, is it rootless or rootful?

OVERLORD commented 2025-10-09 16:37:06 +03:00

Author

Owner

Copy Link

@LucasJanin commented on GitHub:

Hi @kmendell
Thanks a lot!

@LucasJanin commented on GitHub: Hi @kmendell Thanks a lot!

OVERLORD commented 2025-10-09 16:37:08 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

@LucasJanin as far as I am aware, LXC has the same problem as rootless Docker, it's not preserving source IP by default. I am not an LXC expert, so cannot know for sure, but it definitely googles: https://discuss.linuxcontainers.org/t/how-to-get-real-client-ip-when-using-lxd-to-forward-port-80/2079/4

@savely-krasovsky commented on GitHub: @LucasJanin as far as I am aware, LXC has the same problem as rootless Docker, it's not preserving source IP by default. I am not an LXC expert, so cannot know for sure, but it definitely googles: https://discuss.linuxcontainers.org/t/how-to-get-real-client-ip-when-using-lxd-to-forward-port-80/2079/4

OVERLORD commented 2025-10-09 16:37:08 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

i think this is a restriction of proxmox ve LXC containers it doesn't have the required kernel rights since it's shared with the host, i think something like the ipv4 forwarding sysctl parameter should work but it would have to be on the host not the LXC container. i'm just guessing on this i haven't tested to confirm

@kmendell commented on GitHub: i think this is a restriction of proxmox ve LXC containers it doesn't have the required kernel rights since it's shared with the host, i think something like the ipv4 forwarding sysctl parameter should work but it would have to be on the host not the LXC container. i'm just guessing on this i haven't tested to confirm

OVERLORD commented 2025-10-09 16:37:09 +03:00

Author

Owner

Copy Link

@DJKatastrof commented on GitHub:

Hey guys, I took this to the maintainer of NPMPlus.
Can you guys look into this thread and maybe work something out?
I

https://github.com/ZoeyVid/NPMplus/discussions/1708

@DJKatastrof commented on GitHub: Hey guys, I took this to the maintainer of NPMPlus. Can you guys look into this thread and maybe work something out? I https://github.com/ZoeyVid/NPMplus/discussions/1708

OVERLORD commented 2025-10-09 16:37:09 +03:00

Author

Owner

Copy Link

@LucasJanin commented on GitHub:

@LucasJanin are you using Docker/Podman for both Nginx and Pocket-ID? If yes, is it rootless or rootful?

Pocket-ID and Nginx Proxy Manager are running in separate LXC containers on my Proxmox (no Docker/Podman)
I used the Promox VE Helper-Scripts to deploy them

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)"
bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/nginxproxymanager.sh)"

@LucasJanin commented on GitHub: > [@LucasJanin](https://github.com/LucasJanin) are you using Docker/Podman for both Nginx and Pocket-ID? If yes, is it rootless or rootful? Pocket-ID and Nginx Proxy Manager are running in separate LXC containers on my Proxmox (no Docker/Podman) I used the Promox VE Helper-Scripts to deploy them ``` bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)" bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/nginxproxymanager.sh)" ```

OVERLORD commented 2025-10-09 16:37:10 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Since this is most likley a issue with the LXC container, and this installation method is not officially support. Im closing this issue.

If you find a solution feel free to update this issue though :)

@kmendell commented on GitHub: Since this is most likley a issue with the LXC container, and this installation method is not officially support. Im closing this issue. If you find a solution feel free to update this issue though :)

OVERLORD commented 2025-10-09 16:37:11 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Reopening this issue, as i do belive this is a issue with pocket-id after re-reviewing things.

@kmendell commented on GitHub: Reopening this issue, as i do belive this is a issue with pocket-id after re-reviewing things.

OVERLORD commented 2025-10-09 16:37:11 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@yourfate @DJKatastrof Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: ghcr.io/kmendell/pocket-id:clientip

@kmendell commented on GitHub: @yourfate @DJKatastrof Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: `ghcr.io/kmendell/pocket-id:clientip`

OVERLORD commented 2025-10-09 16:37:12 +03:00

Author

Owner

Copy Link

@yourfate commented on GitHub:

@yourfate @DJKatastrof Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: ghcr.io/kmendell/pocket-id:clientip

Hey, I'll try this after the weekend, i'm having guests here at the moment. Thank you for looking into this!

@yourfate commented on GitHub: > [@yourfate](https://github.com/yourfate) [@DJKatastrof](https://github.com/DJKatastrof) Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: `ghcr.io/kmendell/pocket-id:clientip` Hey, I'll try this after the weekend, i'm having guests here at the moment. Thank you for looking into this!

OVERLORD commented 2025-10-09 16:37:12 +03:00

Author

Owner

Copy Link

@DJKatastrof commented on GitHub:

Hey, i just tried it but still getting my proxy IP.
Which steps did you take? Maybe I can reproduce what you did

@DJKatastrof commented on GitHub: Hey, i just tried it but still getting my proxy IP. Which steps did you take? Maybe I can reproduce what you did

OVERLORD commented 2025-10-09 16:37:13 +03:00

Author

Owner

Copy Link

@yourfate commented on GitHub:

i think this is a restriction of proxmox ve LXC containers it doesn't have the required kernel rights since it's shared with the host, i think something like the ipv4 forwarding sysctl parameter should work but it would have to be on the host not the LXC container. i'm just guessing on this i haven't tested to confirm

How should this be a limitation of LXC? All my other LXC services like immich, nextcloud, paperless, jellyfin can see the real IP of proxied requests just fine. This is 100% a pocket ID problem.

Immich doens't even officially support anything other than docker, yet it just works out of the box there.

@yourfate commented on GitHub: > i think this is a restriction of proxmox ve LXC containers it doesn't have the required kernel rights since it's shared with the host, i think something like the ipv4 forwarding sysctl parameter should work but it would have to be on the host not the LXC container. i'm just guessing on this i haven't tested to confirm How should this be a limitation of LXC? All my other LXC services like immich, nextcloud, paperless, jellyfin can see the real IP of proxied requests just fine. This is 100% a pocket ID problem. Immich doens't even officially support anything other than docker, yet it just works out of the box there.

OVERLORD commented 2025-10-09 16:37:13 +03:00

Author

Owner

Copy Link

@LucasJanin commented on GitHub:

Fantastic!
Unfortunately, I can't test it anymore; I moved to a bare-metal installation on a VM (without Cadd :-)
But I'm sure it will help many other users.
Thanks

@LucasJanin commented on GitHub: Fantastic! Unfortunately, I can't test it anymore; I moved to a bare-metal installation on a VM (without Cadd :-) But I'm sure it will help many other users. Thanks

OVERLORD commented 2025-10-09 16:37:14 +03:00

Author

Owner

Copy Link

@oliverl-21 commented on GitHub:

I have the LXC Setup with Traefik as Reverse Proxy and it works fine for me even in a Dual Stack Environment.

I used NPM in the past and had multiple times problems with the Forwarded-For header

@oliverl-21 commented on GitHub: I have the LXC Setup with Traefik as Reverse Proxy and it works fine for me even in a Dual Stack Environment. I used NPM in the past and had multiple times problems with the Forwarded-For header

OVERLORD commented 2025-10-09 16:37:14 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

This issue should be fixed in v1.0.0 as Caddy has been removed from the Docker image.

@stonith404 commented on GitHub: This issue should be fixed in `v1.0.0` as Caddy has been removed from the Docker image.

OVERLORD commented 2025-10-09 16:37:14 +03:00

Author

Owner

Copy Link

@yourfate commented on GitHub:

@yourfate @DJKatastrof Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: ghcr.io/kmendell/pocket-id:clientip

I tested this version, and the issue still persists.

@yourfate commented on GitHub: > [@yourfate](https://github.com/yourfate) [@DJKatastrof](https://github.com/DJKatastrof) Can you either of you try this image and see if its fixed? I apologize for the confusion. I do think i figured out a fix though, or at least started too: `ghcr.io/kmendell/pocket-id:clientip` I tested this version, and the issue still persists.

OVERLORD commented 2025-10-09 16:37:16 +03:00

Author

Owner

Copy Link

@LucasJanin commented on GitHub:

I'm now using Caddy in LXC as a Reverse Proxy, and the problem is still present (Dual Stack Environment)

id.xxx.xxx {
	reverse_proxy 192.168.1.137:80 [xxxx:xxxx:xxxx:xxxx::137]:80 {
		header_up X-Real-IP {remote_host}
	}
}

@LucasJanin commented on GitHub: I'm now using Caddy in LXC as a Reverse Proxy, and the problem is still present (Dual Stack Environment) ``` id.xxx.xxx { reverse_proxy 192.168.1.137:80 [xxxx:xxxx:xxxx:xxxx::137]:80 { header_up X-Real-IP {remote_host} } } ```

OVERLORD commented 2025-10-09 16:37:17 +03:00

Author

Owner

Copy Link

@AIndoria commented on GitHub:

@DJKatastrof

server {
    listen 80;
    server_name id.xxx.xx;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name id.xxx.xx;

    ssl_certificate /etc/letsencrypt/live/xxx.xxg/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.xx/privkey.pem;
    # PocketID specific header buffer sizes (from their docs)
    proxy_busy_buffers_size   512k;
    proxy_buffers   4 512k;
    proxy_buffer_size   256k;

    location / {
        proxy_pass http://10.1.1.215:1411; 

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_http_version 1.1;
    }

    # Access and error logs
    access_log /var/log/nginx/id.xxx.xx.access.log;
    error_log /var/log/nginx/id.xxx.xx.error.log;
}

@AIndoria commented on GitHub: @DJKatastrof ``` server { listen 80; server_name id.xxx.xx; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; server_name id.xxx.xx; ssl_certificate /etc/letsencrypt/live/xxx.xxg/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.xx/privkey.pem; # PocketID specific header buffer sizes (from their docs) proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; location / { proxy_pass http://10.1.1.215:1411; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_http_version 1.1; } # Access and error logs access_log /var/log/nginx/id.xxx.xx.access.log; error_log /var/log/nginx/id.xxx.xx.error.log; } ```

OVERLORD commented 2025-10-09 16:37:18 +03:00

Author

Owner

Copy Link

@AIndoria commented on GitHub:

@AIndoria Im only getting "An unknown error occurred. Please try to sign in again.". Is that proxy pass working for you?

do you have any other configuration on pocket-id in nginx?

The proxy pass works fine for me. No other configuration besides a cert, proxy_busy_buffers_size and related, and http redirect to https (in another block).

@AIndoria commented on GitHub: > [@AIndoria](https://github.com/AIndoria) Im only getting "An unknown error occurred. Please try to sign in again.". Is that proxy pass working for you? > > do you have any other configuration on pocket-id in nginx? The proxy pass works fine for me. No other configuration besides a cert, proxy_busy_buffers_size and related, and http redirect to https (in another block).

OVERLORD commented 2025-10-09 16:37:19 +03:00

Author

Owner

Copy Link

@DJKatastrof commented on GitHub:

@AIndoria Im only getting "An unknown error occurred. Please try to sign in again.".
Is that proxy pass working for you?

do you have any other configuration on pocket-id in nginx?

@DJKatastrof commented on GitHub: @AIndoria Im only getting "An unknown error occurred. Please try to sign in again.". Is that proxy pass working for you? do you have any other configuration on pocket-id in nginx?

OVERLORD commented 2025-10-09 16:37:19 +03:00

Author

Owner

Copy Link

@AIndoria commented on GitHub:

Updated to 1.0 today. Unfortunately the issue seems to be still present. This is an internal wireguard IP

Domain -> VPS with nginx with wireguard -> (Internal wireguard routing to box with PocketID) -> PocketID

Configuration seems correct:

location / {
        proxy_pass http://10.1.1.215:1411; 

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection "Upgrade";   
        proxy_http_version 1.1;
    }

@AIndoria commented on GitHub:  Updated to 1.0 today. Unfortunately the issue seems to be still present. This is an internal wireguard IP `Domain -> VPS with nginx with wireguard -> (Internal wireguard routing to box with PocketID) -> PocketID` Configuration seems correct: ``` location / { proxy_pass http://10.1.1.215:1411; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_http_version 1.1; } ```

OVERLORD commented 2025-10-09 16:37:20 +03:00

Author

Owner

Copy Link

@DJKatastrof commented on GitHub:

Mind pasting what you are using? I can't get it to work porperly to test it

@DJKatastrof commented on GitHub: Mind pasting what you are using? I can't get it to work porperly to test it

OVERLORD commented 2025-10-09 16:37:21 +03:00

Author

Owner

Copy Link

@AIndoria commented on GitHub:

@DJKatastrof Really? With similar configuration as mine? wtf. I wonder why mine isn't working.

@AIndoria commented on GitHub: @DJKatastrof Really? With similar configuration as mine? wtf. I wonder why mine isn't working.

OVERLORD commented 2025-10-09 16:37:21 +03:00

Author

Owner

Copy Link

@DJKatastrof commented on GitHub:

@AIndoria all working here. Seeing different IP's

@savely-krasovsky , No I got everything working.
Im just trying to place pocket-id in front of my hosted Mealie.
A long shot 😅

@DJKatastrof commented on GitHub: @AIndoria all working here. Seeing different IP's @savely-krasovsky , No I got everything working. Im just trying to place pocket-id in front of my hosted Mealie. A long shot 😅

OVERLORD commented 2025-10-09 16:37:22 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

@DJKatastrof you probably need to set proper APP_URL environment. Otherwise WebAuthn will be broken.

@savely-krasovsky commented on GitHub: @DJKatastrof you probably need to set proper `APP_URL` environment. Otherwise WebAuthn will be broken.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/restrict-email-one-time-access

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#284