fix(gateway): trusted-proxy auth rejected when bind=loopback (#20097)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 8de62f1a8f Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky
2026-05-08 03:31:23 +00:00 · 2026-02-20 18:51:35 +01:00
parent 868fe48d58
commit 9c5249714d
5 changed files with 32 additions and 15 deletions
--- a/src/commands/configure.gateway.e2e.test.ts
+++ b/src/commands/configure.gateway.e2e.test.ts
@@ -127,7 +127,7 @@ describe("promptGatewayConfig", () => {
      requiredHeaders: ["x-forwarded-proto", "x-forwarded-host"],
      allowUsers: ["nick@example.com"],
    });
-    expect(result.config.gateway?.bind).toBe("lan");
+    expect(result.config.gateway?.bind).toBe("loopback");
    expect(result.config.gateway?.trustedProxies).toEqual(["10.0.1.10", "192.168.1.5"]);
  });

@@ -141,7 +141,7 @@ describe("promptGatewayConfig", () => {
      userHeader: "x-remote-user",
      // requiredHeaders and allowUsers should be undefined when empty
    });
-    expect(result.config.gateway?.bind).toBe("lan");
+    expect(result.config.gateway?.bind).toBe("loopback");
    expect(result.config.gateway?.trustedProxies).toEqual(["10.0.0.1"]);
  });

@@ -150,7 +150,7 @@ describe("promptGatewayConfig", () => {
      tailscaleMode: "serve",
      textQueue: ["18789", "x-forwarded-user", "", "", "10.0.0.1"],
    });
-    expect(result.config.gateway?.bind).toBe("lan");
+    expect(result.config.gateway?.bind).toBe("loopback");
    expect(result.config.gateway?.tailscale?.mode).toBe("off");
    expect(result.config.gateway?.tailscale?.resetOnExit).toBe(false);
  });
--- a/src/commands/configure.gateway.ts
+++ b/src/commands/configure.gateway.ts
@@ -142,10 +142,8 @@ export async function promptGatewayConfig(
    authMode = "password";
  }

-  if (authMode === "trusted-proxy" && bind === "loopback") {
-    note("Trusted proxy auth requires network bind. Adjusting bind to lan.", "Note");
-    bind = "lan";
-  }
+  // trusted-proxy + loopback is valid when the reverse proxy runs on the same
+  // host (e.g. cloudflared, nginx, Caddy). trustedProxies must include 127.0.0.1.
  if (authMode === "trusted-proxy" && tailscaleMode !== "off") {
    note(
      "Trusted proxy auth is incompatible with Tailscale serve/funnel. Disabling Tailscale.",