Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IMMICH_TRUSTED_PROXIES has no effect #14886

Open
1 of 3 tasks
mmomjian opened this issue Dec 23, 2024 · 0 comments · May be fixed by #14888
Open
1 of 3 tasks

IMMICH_TRUSTED_PROXIES has no effect #14886

mmomjian opened this issue Dec 23, 2024 · 0 comments · May be fixed by #14888

Comments

@mmomjian
Copy link
Contributor

The bug

We document IMMICH_TRUSTED_PROXIES in the docs. As far as I can tell this was added in #11286 , with the main effect being

- app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
+ app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal', ...trustedProxies]);

However, I don't think that this does anything.

Testing:

  • added IMMICH_TRUSTED_PROXIES as a random IP (not in my subnet)
  • restart Immich
  • Immich works fine through my reverse proxy, even login attempts are logged with the X-Forwarded-Host IP, not the internal container IP

For now, I will PR to remove this feature from our docs. Long term, we should enforce only accepting headers from an IP that is actually whitelisted as a trusted proxy.

The OS that Immich Server is running on

Debian

Version of Immich Server

1.123.0

Version of Immich Mobile App

1.123.0

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

N/A

Your .env content

N/A

Reproduction steps

as above

Relevant log output

No response

Additional information

No response

@danieldietzler danieldietzler assigned jrasm91 and unassigned jrasm91 Dec 23, 2024
@danieldietzler danieldietzler linked a pull request Dec 23, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants