Skip to content
CoderClaw CoderClaw

Trusted Proxy Auth

Trusted Proxy Auth

Section titled “Trusted Proxy Auth”

⚠️ Security-sensitive feature. This mode delegates authentication entirely to your reverse proxy. Misconfiguration can expose your Gateway to unauthorized access. Read this page carefully before enabling.

When to Use

Section titled “When to Use”

Use trusted-proxy auth mode when:

  • You run CoderClaw behind an identity-aware proxy (Pomerium, Caddy + OAuth, nginx + oauth2-proxy, Traefik + forward auth)
  • Your proxy handles all authentication and passes user identity via headers
  • You’re in a Kubernetes or container environment where the proxy is the only path to the Gateway
  • You’re hitting WebSocket 1008 unauthorized errors because browsers can’t pass tokens in WS payloads

When NOT to Use

Section titled “When NOT to Use”
  • If your proxy doesn’t authenticate users (just a TLS terminator or load balancer)
  • If there’s any path to the Gateway that bypasses the proxy (firewall holes, internal network access)
  • If you’re unsure whether your proxy correctly strips/overwrites forwarded headers
  • If you only need personal single-user access (consider Tailscale Serve + loopback for simpler setup)

How It Works

Section titled “How It Works”
  1. Your reverse proxy authenticates users (OAuth, OIDC, SAML, etc.)
  2. Proxy adds a header with the authenticated user identity (e.g., x-forwarded-user: nick@example.com)
  3. CoderClaw checks that the request came from a trusted proxy IP (configured in gateway.trustedProxies)
  4. CoderClaw extracts the user identity from the configured header
  5. If everything checks out, the request is authorized

Configuration

Section titled “Configuration”
{
  gateway: {
    // Must bind to network interface (not loopback)
    bind: "lan",


    // CRITICAL: Only add your proxy's IP(s) here
    trustedProxies: ["10.0.0.1", "172.17.0.1"],


    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        // Header containing authenticated user identity (required)
        userHeader: "x-forwarded-user",


        // Optional: headers that MUST be present (proxy verification)
        requiredHeaders: ["x-forwarded-proto", "x-forwarded-host"],


        // Optional: restrict to specific users (empty = allow all)
        allowUsers: ["nick@example.com", "admin@company.org"],
      },
    },
  },
}

Configuration Reference

Section titled “Configuration Reference”
FieldRequiredDescription
gateway.trustedProxiesYesArray of proxy IP addresses to trust. Requests from other IPs are rejected.
gateway.auth.modeYesMust be "trusted-proxy"
gateway.auth.trustedProxy.userHeaderYesHeader name containing the authenticated user identity
gateway.auth.trustedProxy.requiredHeadersNoAdditional headers that must be present for the request to be trusted
gateway.auth.trustedProxy.allowUsersNoAllowlist of user identities. Empty means allow all authenticated users.

Proxy Setup Examples

Section titled “Proxy Setup Examples”

Pomerium

Section titled “Pomerium”

Pomerium passes identity in x-pomerium-claim-email (or other claim headers) and a JWT in x-pomerium-jwt-assertion.

{
  gateway: {
    bind: "lan",
    trustedProxies: ["10.0.0.1"], // Pomerium's IP
    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        userHeader: "x-pomerium-claim-email",
        requiredHeaders: ["x-pomerium-jwt-assertion"],
      },
    },
  },
}

Pomerium config snippet:

routes:
  - from: https://coderclaw.example.com
    to: http://coderclaw-gateway:18789
    policy:
      - allow:
          or:
            - email:
                is: nick@example.com
    pass_identity_headers: true

Caddy with OAuth

Section titled “Caddy with OAuth”

Caddy with the caddy-security plugin can authenticate users and pass identity headers.

{
  gateway: {
    bind: "lan",
    trustedProxies: ["127.0.0.1"], // Caddy's IP (if on same host)
    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        userHeader: "x-forwarded-user",
      },
    },
  },
}

Caddyfile snippet:

coderclaw.example.com {
    authenticate with oauth2_provider
    authorize with policy1


    reverse_proxy coderclaw:18789 {
        header_up X-Forwarded-User {http.auth.user.email}
    }
}

nginx + oauth2-proxy

Section titled “nginx + oauth2-proxy”

oauth2-proxy authenticates users and passes identity in x-auth-request-email.

{
  gateway: {
    bind: "lan",
    trustedProxies: ["10.0.0.1"], // nginx/oauth2-proxy IP
    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        userHeader: "x-auth-request-email",
      },
    },
  },
}

nginx config snippet:

location / {
    auth_request /oauth2/auth;
    auth_request_set $user $upstream_http_x_auth_request_email;


    proxy_pass http://coderclaw:18789;
    proxy_set_header X-Auth-Request-Email $user;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

Traefik with Forward Auth

Section titled “Traefik with Forward Auth”
{
  gateway: {
    bind: "lan",
    trustedProxies: ["172.17.0.1"], // Traefik container IP
    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        userHeader: "x-forwarded-user",
      },
    },
  },
}

Security Checklist

Section titled “Security Checklist”

Before enabling trusted-proxy auth, verify:

  • Proxy is the only path: The Gateway port is firewalled from everything except your proxy
  • trustedProxies is minimal: Only your actual proxy IPs, not entire subnets
  • Proxy strips headers: Your proxy overwrites (not appends) x-forwarded-* headers from clients
  • TLS termination: Your proxy handles TLS; users connect via HTTPS
  • allowUsers is set (recommended): Restrict to known users rather than allowing anyone authenticated

Security Audit

Section titled “Security Audit”

coderclaw security audit will flag trusted-proxy auth with a critical severity finding. This is intentional — it’s a reminder that you’re delegating security to your proxy setup.

The audit checks for:

  • Missing trustedProxies configuration
  • Missing userHeader configuration
  • Empty allowUsers (allows any authenticated user)

Troubleshooting

Section titled “Troubleshooting”

”trusted_proxy_untrusted_source”

Section titled “”trusted_proxy_untrusted_source””

The request didn’t come from an IP in gateway.trustedProxies. Check:

  • Is the proxy IP correct? (Docker container IPs can change)
  • Is there a load balancer in front of your proxy?
  • Use docker inspect or kubectl get pods -o wide to find actual IPs

”trusted_proxy_user_missing”

Section titled “”trusted_proxy_user_missing””

The user header was empty or missing. Check:

  • Is your proxy configured to pass identity headers?
  • Is the header name correct? (case-insensitive, but spelling matters)
  • Is the user actually authenticated at the proxy?

“trustedproxy_missing_header*”

Section titled ““trustedproxy_missing_header*””

A required header wasn’t present. Check:

  • Your proxy configuration for those specific headers
  • Whether headers are being stripped somewhere in the chain

”trusted_proxy_user_not_allowed”

Section titled “”trusted_proxy_user_not_allowed””

The user is authenticated but not in allowUsers. Either add them or remove the allowlist.

WebSocket Still Failing

Section titled “WebSocket Still Failing”

Make sure your proxy:

  • Supports WebSocket upgrades (Upgrade: websocket, Connection: upgrade)
  • Passes the identity headers on WebSocket upgrade requests (not just HTTP)
  • Doesn’t have a separate auth path for WebSocket connections

Migration from Token Auth

Section titled “Migration from Token Auth”

If you’re moving from token auth to trusted-proxy:

  1. Configure your proxy to authenticate users and pass headers
  2. Test the proxy setup independently (curl with headers)
  3. Update CoderClaw config with trusted-proxy auth
  4. Restart the Gateway
  5. Test WebSocket connections from the Control UI
  6. Run coderclaw security audit and review findings
Section titled “Related”