starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:32:57 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Audit logs lost public ip behind CF #369

New Issue
Closed
opened 2025-10-09 16:42:16 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-09 16:42:16 +03:00
Owner
Copy Link

Originally created by @eboman on GitHub.

Reproduction steps

When I login into pocketID from outside of my network I have lost the public ip addresses . This seems to have started after the 20th of Jan.

Expected behavior

I should see public ips using the x forwarded headers

Actual Behavior

Audit logs only show local ips of my Cloudflare endpoint

Version and Environment

Trust proxy is set to true. I have automatic updates set in portainer so I follow the latest updates.

Log Output

Do I need to run any debugs or can I review specific logs in the docker to verify?

Originally created by @eboman on GitHub. ### Reproduction steps When I login into pocketID from outside of my network I have lost the public ip addresses . This seems to have started after the 20th of Jan. ### Expected behavior I should see public ips using the x forwarded headers ### Actual Behavior Audit logs only show local ips of my Cloudflare endpoint ### Version and Environment Trust proxy is set to true. I have automatic updates set in portainer so I follow the latest updates. ### Log Output Do I need to run any debugs or can I review specific logs in the docker to verify?
OVERLORD added the bug label 2025-10-09 16:42:16 +03:00
OVERLORD commented 2025-10-09 16:42:20 +03:00
Author
Owner
Copy Link

@eboman commented on GitHub:

logs as seen when authenticating with my phone from an remote location :
[GIN] 2025/02/09 - 14:32:44 | 200 | 164.843238ms | 192.168.2.200 | GET "/api/webauthn/login/start"
[GIN] 2025/02/09 - 14:32:44 | 200 | 164.973532ms | 192.168.2.200 | GET "/api/webauthn/login/start"
[GIN] 2025/02/09 - 14:32:49 | 200 | 136.2094ms | 192.168.2.200 | POST "/api/webauthn/login/finish"
[GIN] 2025/02/09 - 14:32:49 | 200 | 136.249959ms | 192.168.2.200 | POST "/api/webauthn/login/finish"

@eboman commented on GitHub: logs as seen when authenticating with my phone from an remote location : [GIN] 2025/02/09 - 14:32:44 | 200 | 164.843238ms | 192.168.2.200 | GET "/api/webauthn/login/start" [GIN] 2025/02/09 - 14:32:44 | 200 | 164.973532ms | 192.168.2.200 | GET "/api/webauthn/login/start" [GIN] 2025/02/09 - 14:32:49 | 200 | 136.2094ms | 192.168.2.200 | POST "/api/webauthn/login/finish" [GIN] 2025/02/09 - 14:32:49 | 200 | 136.249959ms | 192.168.2.200 | POST "/api/webauthn/login/finish"
OVERLORD commented 2025-10-09 16:42:20 +03:00
Author
Owner
Copy Link

@eboman commented on GitHub:

.env :
PUBLIC_APP_URL=https://oidc.xxxx
PORT=3014
TRUST_PROXY=TRUE
MAXMIND_LICENSE_KEY=
#CADDY_PORT=8080
PUID=0
PGID=0

@eboman commented on GitHub: .env : PUBLIC_APP_URL=https://oidc.xxxx PORT=3014 TRUST_PROXY=TRUE MAXMIND_LICENSE_KEY= #CADDY_PORT=8080 PUID=0 PGID=0
OVERLORD commented 2025-10-09 16:42:20 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@eboman Ive been trying to replicate this but i cant, My cloud-flare tunnel shows the public IP's when i try, Can you attach your docker compose file, and any logs when you try to connect from that public ip / when the issue happens.

@kmendell commented on GitHub: @eboman Ive been trying to replicate this but i cant, My cloud-flare tunnel shows the public IP's when i try, Can you attach your docker compose file, and any logs when you try to connect from that public ip / when the issue happens.
OVERLORD commented 2025-10-09 16:42:21 +03:00
Author
Owner
Copy Link

@eboman commented on GitHub:

Compose :
services:
pocket-id:
image: stonith404/pocket-id # or ghcr.io/stonith404/pocket-id
restart: unless-stopped
env_file: .env
ports:
- 3014:80
volumes:
- /volume1/docker/pocketid:/app/backend/data
# Optional healthcheck
healthcheck:
test: "curl -f http://localhost/health"
interval: 1m30s
timeout: 5s
retries: 2
start_period: 10s

@eboman commented on GitHub: Compose : services: pocket-id: image: stonith404/pocket-id # or ghcr.io/stonith404/pocket-id restart: unless-stopped env_file: .env ports: - 3014:80 volumes: - /volume1/docker/pocketid:/app/backend/data # Optional healthcheck healthcheck: test: "curl -f http://localhost/health" interval: 1m30s timeout: 5s retries: 2 start_period: 10s
OVERLORD commented 2025-10-09 16:42:21 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Can you try to set TRUST_PROXY to true instead of TRUE?

@stonith404 commented on GitHub: Can you try to set `TRUST_PROXY` to `true` instead of `TRUE`?
OVERLORD commented 2025-10-09 16:42:22 +03:00
Author
Owner
Copy Link

@eboman commented on GitHub:

Can you try to set TRUST_PROXY to true instead of TRUE?

let me try that, in the meanwhile i was able to make an tcpdump with the headers, to validate traffic is coming from CF and has proper headers. It is the last header seen, so maybe it becomes to big ?

350: HTTP, length: 1350
GET /settings/account HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/133.0.6943.33 Mobile/15E148 Safari/604.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip, br
Accept-Language: nl-NL,nl;q=0.9
Cdn-Loop: cloudflare; loops=1
Cf-Connecting-Ip: 185.158.125.xxx
Cf-Ipcountry: ES
Cf-Ray: 90f4b22ae937af9b-MAD
Cf-Visitor: {"scheme":"https"}
Cf-Warp-Tag-Id: 8a12961d-cd9f-42d7-88d5-37ecaab12e6d
Connection: keep-alive
Cookie: __Host-access_token=
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
X-Forwarded-For: 185.158.125.xx
X-Forwarded-Proto: https

@eboman commented on GitHub: > Can you try to set `TRUST_PROXY` to `true` instead of `TRUE`? let me try that, in the meanwhile i was able to make an tcpdump with the headers, to validate traffic is coming from CF and has proper headers. It is the last header seen, so maybe it becomes to big ? 350: HTTP, length: 1350 GET /settings/account HTTP/1.1 Host: <removed> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/133.0.6943.33 Mobile/15E148 Safari/604.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, br Accept-Language: nl-NL,nl;q=0.9 Cdn-Loop: cloudflare; loops=1 Cf-Connecting-Ip: 185.158.125.xxx Cf-Ipcountry: ES Cf-Ray: 90f4b22ae937af9b-MAD Cf-Visitor: {"scheme":"https"} Cf-Warp-Tag-Id: 8a12961d-cd9f-42d7-88d5-37ecaab12e6d Connection: keep-alive Cookie: __Host-access_token=<removed> Priority: u=0, i Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none X-Forwarded-For: 185.158.125.xx X-Forwarded-Proto: https
OVERLORD commented 2025-10-09 16:42:23 +03:00
Author
Owner
Copy Link

@eboman commented on GitHub:

Can you try to set TRUST_PROXY to true instead of TRUE?

This seems to actually fix it and stupid me, i even made an change myself in my enviroment by doing some rollback it seems.
😠

@eboman commented on GitHub: > Can you try to set `TRUST_PROXY` to `true` instead of `TRUE`? This seems to actually fix it and stupid me, i even made an change myself in my enviroment by doing some rollback it seems. 😠
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#369
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?