From 0d760a48876bfb222657a3b84a085c26750dda72 Mon Sep 17 00:00:00 2001 From: Ainar Garipov Date: Thu, 9 Dec 2021 15:38:44 +0300 Subject: [PATCH] Pull request: Configuration: imp trusted proxies doc Merge in DNS/adguard-home-wiki from 3382-trusted-proxies-conf to master Squashed commit of the following: commit 1b6af11d215befe46c1344797216c95d3cc4c128 Author: Ainar Garipov Date: Thu Dec 9 15:38:10 2021 +0300 Configuration: imp commit 7f045f0016895db854f0a7955ae60e83e0ba485b Author: Ainar Garipov Date: Thu Dec 9 15:23:24 2021 +0300 Configuration: imp trusted proxies doc --- Configuration.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Configuration.md b/Configuration.md index bb60f0a..ca2bc11 100644 --- a/Configuration.md +++ b/Configuration.md @@ -367,8 +367,18 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib - `disallowed_clients` — IP addresses of clients that should be blocked - `blocked_hosts` — Hosts that should be blocked - `trusted_proxies` (**since v0.107.0**) – The list of IP addresses and CIDR - networks to detect proxy servers' addresses from which AdGuard Home should - accept and handle DNS-over-HTTPS requests. + prefixes of trusted HTTP proxy servers. If a DNS-over-HTTPS request comes + from one of these addresses or networks, AdGuard Home uses the provided + proxy headers, such as `X-Real-IP`, to get the real IP address of the + client. Requests from HTTP proxies outside of these networks are + considered to be requests from the proxy itself. That is, the proxy + headers are ignored. + + The full list of proxy headers, in the order AdGuard Home inspects them: + 1. `CF-Connecting-IP` + 1. `True-Client-IP` + 1. `X-Real-IP` + 1. `X-Forwarded-For` - **DNS cache settings** - `cache_size` — DNS cache size (in bytes) - `cache_ttl_min` — override TTL value (minimum) received from upstream server. This value can't larger than 3600 (1 hour).