11

I am running Nginx in a Docker container as a reverse proxy using the configuration below. It basically redirects the request to another docker container running on the same machine

Problem

The problem is that the output in the access log states the wrong client IP address, specifically I get the IP of the Docker host 172.17.0.1:

172.17.0.1 - - [24/May/2016:19:50:18 +0000] "GET /admin/ HTTP/1.1" 200 19243 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0" "-"

I tried to follow the advice from this post regarding the set_real_ip_from directive but without any success.

Configuration

server {
    listen       8000 ssl;
    server_name  example.com;

    access_log  /var/log/nginx/host.access.log  main;

    ssl_certificate     /path/to/cert.pem;
    ssl_certificate_key /path/to/key.key;

    set_real_ip_from 172.17.0.1;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    proxy_set_header    Host $host:$server_port;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto $scheme;

    location / {
        proxy_pass  http://172.17.0.1:8100/;
    }
}

What am I missing here?

Edit:

I just realised that other people have a similar problem here and here but unfortunately no solution.

mincos
  • 211
  • 1
  • 2
  • 4

4 Answers4

1

You probably will need the fix suggested by womble's answer in order to see the real IP at the real server.

In order to see the real client IP at either the real server or the proxying node, though, you'll need to modify your Docker configuration. I think the issue stems from Docker's network firewall sitting in front of nginx. See this question for solutions to that problem.

Blieque
  • 121
  • 6
1

A simple way to solve the problem seems to be publishing the port in "host" mode (source).

If you are using docker-compose, it could be done like this:

ports:
  - target: 80
    published: 80
    mode: host
  - target: 443
    published: 443
    mode: host
Governa
  • 111
  • 2
  • Thanks for the reply. I am not using the setup with nginx inside a docker container anymore so can't test it right now. – mincos Oct 08 '21 at 20:05
0

The problem is that the output in the access log states the wrong client IP address, specifically I get the IP of the Docker host 172.17.0.1:

I suspect that you really mean

The problem is that the output in the access log of the origin server states the wrong client IP address, specifically I get the IP of the reverse proxy host.

In which case you need to amend the logging on the origin server:

log_format proxied '$http_x_real_ip - $remote_user [$time_local] '
                       '"$request" $status $bytes_sent '
                       '"$http_referer" "$http_user_agent" "$gzip_ratio"';
...
access_log /var/log/nginx/access.log proxied;
symcbean
  • 19,931
  • 1
  • 29
  • 49
0

You need to set the X-Forwarded-For header (not X-Real-IP, that's even less standard) on the machine doing the proxying, and you need to tell whatever's receiving the request to trust that the XFF header is legit because it's coming from a known IP. The config you've got in your question is only for one machine, but it's got the config you need for both ends.

womble
  • 95,029
  • 29
  • 173
  • 228
  • 1
    Thank you for your reply. I understand that both machines have to be configured but the log entry I posted above is from the proxying machine / docker container. So already that one does not get the proper IP address of the request but instead logs the IP of the docker host. – mincos May 26 '16 at 07:45
  • This is not a good idea. X-Forwarded for can be multi-valued. Yes X-Real-IP is not a RFC standard - but it is enforceable between a reverse proxy and origin server owned by the same admin. – symcbean Nov 25 '21 at 20:29
  • XFF being multi-valued is a *good* thing, not a bad thing. As for X-Real-IP, if you're only working entirely within one administrative domain you can, of course, call the header whatever you want. – womble Jan 21 '22 at 09:34