Home / server / Questions / 1095784
In Process
Pepsko
Asked: 2022-03-10 13:03:52 +0800 CST

Get real requester IP in containerized NGINX reverse proxy

  • 772

I have Docker Swarm stack with nginx as reverse proxy set up on OVH vps. I was trying to make use of allow/deny directives in location, but if I set deny all; it wouldn't work even for the ip's added with allow directive. After looking at access logs I found out, that all requests allegedly come from IP 10.0.0.2. Now I tried to get the actual IP first to at least be shown in logs, but with no luck. There is my nginx.conf:

events{}

http {

  map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
  }
  error_log /dev/stdout info;
  log_format json_combined escape=json
    '{'
      '"time":"$time_local",'
      '"httpRequest":{'
        '"requestMethod":"$request_method",'
        '"requestUrl":"$scheme://$host$request_uri",'
        '"requestSize":$request_length,'
        '"status":"$status",'
        '"responseSize":$bytes_sent,'
        '"userAgent":"$http_user_agent",'
        '"remoteIp":"$remote_addr",'
        '"serverIp":"$server_addr",'
        '"referer":"$http_referer",'
        '"latency":"${request_time}s",'
        '"protocol":"$server_protocol"'
      '}'
    '}';

  resolver 127.0.0.11 valid=30s;

  include /etc/nginx/mime.types;
  include /etc/nginx/sites-enabled/*.*;
}

proxy.conf:

set_real_ip_from        10.0.0.0/8;
real_ip_header          X-Forwarded-For;
real_ip_recursive       on;
proxy_set_header        X-Real-IP           $remote_addr;
proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header        Host                $http_host;
proxy_set_header        X-Forwarded-Host    $http_host;
proxy_set_header        X-Forwarded-Proto   $scheme;
proxy_set_header        X-Forwarded-Port    $server_port;
proxy_set_header        Upgrade             $http_upgrade;
proxy_set_header        Connection          $connection_upgrade;
proxy_set_header        X-NginX-Proxy       true;
proxy_cache_bypass      $http_upgrade;
proxy_http_version      1.1;
proxy_read_timeout      20d;
proxy_buffering         off;
proxy_request_buffering off;
proxy_intercept_errors  on;
http2_push_preload      on;

and my location:

  location /api/ {
     allow XXX.XX.XX.X;
     deny  all;
     include /etc/nginx/proxy-options/proxy.conf;
     set $ocelot ocelot-service;
     proxy_pass http://$ocelot$uri$is_args$args;
     proxy_ssl_session_reuse off;
     proxy_redirect off;
     client_max_body_size 5M;
  }

What can I do so nginx logs actual IP of requester and if it's possible, to use the IP to compare with allow directive?

ip nginx docker docker-swarm nginx-reverse-proxy

1 Answers

  1. Problem was caused due to the additional "overlay" network in docker swarm; I have bypassed this by using "host" networking.

    services:
  nginx:
    ...
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    • 0