fix: handle Unix socket RemoteAddr in IP resolution

When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@"
instead of the usual "host:port" format. This caused net.SplitHostPort
to fail on every request, flooding logs with errors:

  Error obtaining real IP for trusted IP list: unable to get ip and
  port from http.RemoteAddr (@)

Fix by handling the "@" RemoteAddr at the source in getRemoteIP,
returning nil without error since Unix sockets have no meaningful
client IP. Also simplify the isTrustedIP guard and add a nil check
in GetClientString to prevent calling String() on nil net.IP.

Fixes #3373

oauthproxy.go

@@ -611,9 +611,7 @@ func (p *OAuthProxy) isAPIPath(req *http.Request) bool {
 
 // isTrustedIP is used to check if a request comes from a trusted client IP address.
 func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
-	// RemoteAddr @ means unix socket
-	// https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511
-	if p.trustedIPs == nil && req.RemoteAddr != "@" {
+	if p.trustedIPs == nil {
 		return false
 	}
 

oauthproxy_test.go

@@ -2149,6 +2149,32 @@ func TestTrustedIPs(t *testing.T) {
 			}(),
 			expectTrusted: false,
 		},
+		// Check Unix socket with no trusted IPs configured does not error.
+		{
+			name:               "UnixSocketWithoutTrustedIPs",
+			trustedIPs:         nil,
+			reverseProxy:       false,
+			realClientIPHeader: "X-Real-IP",
+			req: func() *http.Request {
+				req, _ := http.NewRequest("GET", "/", nil)
+				req.RemoteAddr = "@"
+				return req
+			}(),
+			expectTrusted: false,
+		},
+		// Check Unix socket with trusted IPs configured returns false (no IP to match).
+		{
+			name:               "UnixSocketWithTrustedIPs",
+			trustedIPs:         []string{"127.0.0.1"},
+			reverseProxy:       false,
+			realClientIPHeader: "X-Real-IP",
+			req: func() *http.Request {
+				req, _ := http.NewRequest("GET", "/", nil)
+				req.RemoteAddr = "@"
+				return req
+			}(),
+			expectTrusted: false,
+		},
 		// Check using req.RemoteAddr (Options.ReverseProxy == false).
 		{
 			name:               "WithRemoteAddr",

pkg/ip/realclientip.go

@@ -73,6 +73,12 @@ func GetClientIP(p ipapi.RealClientIPParser, req *http.Request) (net.IP, error)
 
 // getRemoteIP obtains the IP of the low-level connected network host
 func getRemoteIP(req *http.Request) (net.IP, error) {
+	// Unix domain sockets set RemoteAddr to "@" which has no meaningful IP.
+	// https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511
+	if req.RemoteAddr == "@" {
+		return nil, nil
+	}
+
 	//revive:disable:indent-error-flow
 	if ipStr, _, err := net.SplitHostPort(req.RemoteAddr); err != nil {
 		return nil, fmt.Errorf("unable to get ip and port from http.RemoteAddr (%s)", req.RemoteAddr)
@@ -94,7 +100,7 @@ func GetClientString(p ipapi.RealClientIPParser, req *http.Request, full bool) (
 	}
 
 	var remoteIPStr string
-	if remoteIP, err := getRemoteIP(req); err == nil {
+	if remoteIP, err := getRemoteIP(req); err == nil && remoteIP != nil {
 		remoteIPStr = remoteIP.String()
 	}
 

pkg/ip/realclientip_test.go

@@ -112,6 +112,8 @@ func TestGetRemoteIP(t *testing.T) {
 		errString  string
 		expectedIP net.IP
 	}{
+		// Unix domain sockets set RemoteAddr to "@"
+		{"@", "", nil},
 		{"", "unable to get ip and port from http.RemoteAddr ()", nil},
 		{"nil", "unable to get ip and port from http.RemoteAddr (nil)", nil},
 		{"235.28.129.186", "unable to get ip and port from http.RemoteAddr (235.28.129.186)", nil},
@@ -155,6 +157,8 @@ func TestGetClientString(t *testing.T) {
 	}{
 		// Should fail quietly, only printing warnings to the log
 		{nil, "", "", "", ""},
+		// Unix domain socket — no IP available
+		{nil, "@", "", "", ""},
 		{p, "127.0.0.1:11950", "", "127.0.0.1", "127.0.0.1"},
 		{p, "[::1]:28660", "99.103.56.12", "99.103.56.12", "::1 (99.103.56.12)"},
 		{nil, "10.254.244.165:62750", "", "10.254.244.165", "10.254.244.165"},