Tailscale IP not transferred to reverse proxy in docker | Tailscale Community | Page 1

mild adder Feb 25, 2026, 9:11 AM

#

My Setup:
1 homeserver (Ubuntu 24.04.4 LTS) with tailscale (v1.94.2) deployed with my own User including subnet-route and exit-node
dns record to route traffic with a specific subdomain to the tailscale ip-address of the homeserver
reverse proxy on the homeserver in docker rootless, with x-forwarded header set, to route the subdomains to the specific services
SSO Service for login

what i want to achieve:
i want to check the connecting client ip in my SSO service to block specific accounts to login when not connecting via tailscale

my problem:
the SSO Service only reads the ip address of the gateway of the docker network of the reverse proxy instead of the tailscale ip, which means i can't identify connections via tailscale.

i'm thinking, that the culprit is the masquerading of ip addresses in Tailscale, but i can't seem to deactivate it for direct connections

mild adder Feb 25, 2026, 10:56 AM

#

the x-forwarded header is set though

#

accessing the SSO with a subdomain which is set by dyndns, so without tailscale, get's me the real client ip

#

Basically:
accessing [domain] with tailscale get's me the ip of the gateway of the docker network of the proxy container
accessing [domain] without tailscale get's me the ip of the client

mild adder Feb 25, 2026, 11:51 AM

#

feared as much 😅
interestingly enough, it worked 2 weeks ago, before i updated tailscale and the reverse proxy

#Tailscale IP not transferred to reverse proxy in docker