X-Forwarded-For is parsed incorrectly / incompletely

[mback2k]

Home Assistant release with the issue:
Home Assistant 0.103.0

Last working Home Assistant release (if known):
none

Operating environment (Hass.io/Docker/Windows/etc.):
Docker

Integration:
https://www.home-assistant.io/integrations/http

Description of problem:
As previously described in #25963 and #26193 at the moment the right-most value from X-Forwarded-For is used instead of the left-most value.

I understand that there is a trust issue with values on the left, but a solution could be to strip trusted_proxies from the right and then use the first non-trusted_proxies value as the client IP instead. This would allow us to get the IP of the client before the first trusted proxy.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.8.0.0/16
    - 10.0.0.1

Additional information:
10.0.0.1 is my external proxy (reachable from the internet) and 10.8.0.0/16 is the internal network of traefik loadbalancers between the external proxy and Home Assistant. An example request header would look like this:

X-Forwarded-For: my-client-ip, 10.0.0.1

Since 10.0.0.1 is a trusted proxy, we could use my-client-ip instead of 10.0.0.1 as the client IP.

I would be willing to implement this if a PR for this would be accepted.

[mback2k]

The background for my issue is that I want to make use of ip_ban_enabled, but cannot do so with the current implementation as my external proxy instead of the actual client IPs would be blocked and prohibited from accessing Home Assistant.

[andriej]

I had same issue with cloudflare but it's possible to handle header on i.e. nginx proxy. So now I again see client's ip, not cloudflare proxy.

[probot-home-assistant]

Hey there @home-assistant/core, mind taking a look at this issue as its been labeled with a integration (http) you are listed as a codeowner for? Thanks!

[mback2k]

@andriej Unfortunately this is not a solution for me, because a) traefik does not allow a dynamic overwrite of the X-Forwarded-For header and b) I need to keep X-Forwarded-For header intact for internal requests not coming in via the external proxy.

[stale]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.
Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍
This issue now has been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[mback2k]

This issue is not stale as the problem is still present.

[finish06]

I am experiencing the same situation in a similar environment. Home-Assistant is grabbing my external proxy (Nginx) which then routes through Traefik load balancer.

[pschmitt]

Same issue here with a similar setup (traefik 2.2).

[mback2k]

🎉 Thank you very much!