fix(gateway): trusted-proxy auth rejected when bind=loopback (#20097)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 8de62f1a8f Co-authored-by: xinhuagu <562450+xinhuagu@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky
2026-05-10 19:04:58 +00:00 · 2026-02-20 18:51:35 +01:00
parent 868fe48d58
commit 9c5249714d
5 changed files with 32 additions and 15 deletions
--- a/src/commands/configure.gateway.ts
+++ b/src/commands/configure.gateway.ts
@@ -142,10 +142,8 @@ export async function promptGatewayConfig(
    authMode = "password";
  }

-  if (authMode === "trusted-proxy" && bind === "loopback") {
-    note("Trusted proxy auth requires network bind. Adjusting bind to lan.", "Note");
-    bind = "lan";
-  }
+  // trusted-proxy + loopback is valid when the reverse proxy runs on the same
+  // host (e.g. cloudflared, nginx, Caddy). trustedProxies must include 127.0.0.1.
  if (authMode === "trusted-proxy" && tailscaleMode !== "off") {
    note(
      "Trusted proxy auth is incompatible with Tailscale serve/funnel. Disabling Tailscale.",