On Mon, Aug 4, 2025 at 1:24 PM Marco Asa <[email protected]> wrote:
> Hello everyone, > > I have the following setup: Reverse proxy -> VPN -> guacamole and I > cannot use TOTP bypass as I would like. > > In the guacamole logs I see events as: > > User "guacadmin" (authenticated by "postgresql") successfully > authenticated from [10.79.7.160, 100.65.0.191] > > where the first IP is the correct one for the user for which I would like > to bypass TOTP while the second is the VPN address of the server with the > reverse proxy. > Just to confirm, you're saying that you may have users coming from that VPN address that aren't inside your network, and for which you don't want to bypass the 2FA requirement? > Now if I set the env. variable TOTP_BYPASS_HOST: '100.65.0.191' of course > everything goes through and I effectively disabled TOTP. Not great. > > Instead If I try 10.79.7.160 (or in general 10.79.7.0/24 as I would like > to do in the end) I still need to provide 2FA. > > Am I doing something wrong with the proxy or is it not supposed to work > like this? > Well, it's possible that the reverse proxy needs some adjusting in order to configure which of those IP addresses gets passed through as the client IP. Off the top of my head I couldn't tell you exactly how to do that - it'd take some trial-and-error to make sure the correct one is getting passed through. You might also check the Tomcat Remote IP Valve configuration and make sure it's configured to properly let the remote IP be set as you'd expect - if your reverse proxy isn't allowed to set the iP, it could be documenting what it _would_ be rather and what it actually is (the VPN IP). -Nick
