Send real ip to application for fail2ban

Hey everyone, I am hosting some applications and proxying them both by tailscale and zrok. With tailscale I get the real ip and fail2ban works great but with zoom and caddy I get the wrong ip.

I have tried this:

 X-Real-IP {remote_host}

Hi @aikooo7, welcome to the comunity and to OpenZiti!

I'm not exactly sure I understand what you're trying to do. Are you trying to intercept an ip on the 'client' side and have the intercepted IP from the client be the one that's connected to on the far side?

If that's what you want to do, you will want to look into the 'forwarding' configuration for host.v1 configs:

I think that's what you are looking for, but i'm not entirely sure.


My use case is not on client but on the server, vaultwarden is logging the ips of who fails a login and fail2ban uses it. See about it here.

It works good and all in tailscale and gets my tailscale machine ip but when using zrok, it gets the zrok ip not my machine ip so if someone gets the authentication wrong x amounts of times the zrok will be banned, not who failed the login.

You're using the zrok service at, correct? You're not self-hosting it?

I'll have to do a little digging, but you should be getting an HTTP header with the real IP address of the remote user. In a quick test on my end, it doesn't look like that's happening. It was... something may have changed in the production environment, so I will need to coordinate with that team.


I can confirm I am using the zrok service at and not self-hosting.

Anything I can help please let me know and keep me updated.

There was a fix applied to the production environment today. If you take a look at the X-Forwarded-For header in the inbound request to your service, the first address will be the remote address of the client accessing your public zrok share.

You can ignore the second address, for now. A follow-on change to the software will be forthcoming that will remove that second address.

But this should get you going for now.


It is still not working, I searched and searched and found out that vaultwarden uses X-Real-Ip but I wasn't able to set it based on X-Forwarded-For, may I get some help here?

Also, I wasn't able to see X-Forwarded-For using the global directive debug, is that normal behavior?

The convention for proxies is to include an X-Forwarded-* set of headers, including X-Forwarded-For. And that is definitely working in production zrok now.

We might be able to include an additional header, X-Real-IP that is a mirror of X-Forwarded-For, in an upcoming release of zrok, but that might not happen for a week or so.


You understood me wrong, I meant how can I make mirror the X-Forward as X-Real-Ip

I don't have an answer for you there. That depends on your setup and the software that you're using.

Currently, zrok does not have a facility that would allow you to mirror that header. It's something that I've added to the backlog and we will add as a new feature in an upcoming release, probably within a few weeks.