Jump to content

Client IP wrong when reverse proxied with NAT reflection from LAN

ksarnelli

By ksarnelli
in General/Windows

 Share
Go to solution Solved by Luke,

Recommended Posts

ksarnelli

ksarnelli 10

Posted
Posted

OK - this is a weird one. 

  • I have Emby server running in docker on Unraid in bridged mode.
  • I use Nginx Proxy Manager (also running in docker on Unraid) and configured a FQDN (let's call it emby.blah.com) to forward to Emby server.
  • I use pfSense as a router/firewall and have a NAT set up forwarding to Nginx Proxy Manager.  I have NAT reflection enabled so that I can also use emby.blah.com from inside my network.
  • My local network is 10.1.0.0/24

Now here's the issue.  When I connect to emby.blah.com from outside my network Emby server correctly detects the external client IP address.  When I connect to emby.blah.com from inside my network, it's showing the docker gateway IP (172.17.0.1) - now I know it won't show the real client IP since it is reflected but I would expect it to show the pfSense internal IP (10.1.0.1).  Because of this my local (reflected) connections are being treated as remote connections.

I'm not sure if there is a way to check client HTTP headers in any Emby logs, but I set up an Nginx container and forwarded everything through pfSense and Nginx Proxy Manager exactly how I did for Emby.  I made a test endpoint and checked the headers:

  • External:
    • Remote address (not a header): 172.17.0.1
    • X-Forwarded-For header: <redacted_public_ip>
    • X-Real-IP header: <redacted_public_ip>
  • Internal
    • Remote address (not a header): 172.17.0.1
    • X-Forwarded-For header: 10.1.0.1
    • X-Real-IP header: 10.1.0.1

All of the headers are present and correct, so why is Emby ignoring the X-Forwarded-For and X-Real-IP headers for the internal connections?  I run a ton of other containers and Emby is the only one exhibiting this behavior.

Thanks in advance!

  • Solution
Luke Emby Team

Luke 42083

Posted
  • Solution
Posted

HI, the server ignores the headers that point to local network addresses, so this is likely the reason why.

If you install the 4.8 beta server, it has added a new configuration option so that you can control it.

  • Like 1
ksarnelli

ksarnelli 10

Posted
  • Author
Posted
8 minutes ago, Luke said:

HI, the server ignores the headers that point to local network addresses, so this is likely the reason why.

If you install the 4.8 beta server, it has added a new configuration option so that you can control it.

Thanks for the quick reply!  I installed the beta and found the option - works as expected now. 😁

  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...