mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-15 12:30:44 +09:00
e4e742c776
The HTTP/2 server inside the Noise tunnel fills r.RemoteAddr from the hijacked TCP socket, so /machine/register and /machine/map logged the reverse proxy's loopback peer (e.g. 127.0.0.1:44388) even with trusted_proxies set. The outer router's realIPMiddleware had already resolved the client IP onto req.RemoteAddr; that value never crossed the hijack. Replace the inner realIPMiddleware mount — dead inside the encrypted tunnel — with overrideRemoteAddr(req.RemoteAddr) so requests served over the tunnel report the outer-resolved client IP.