I have a virtualized router with public IP address assigned to it directly in proxmox. When i send a request to port 443 from a different network(from a browser) the router correctly portforwards it to my NGINX container on a private IP.
Since the router performed a NAT on the packet from the public IP to a local 10.0.0.0/8 address how does NGINX know what the original client IP was? It reports my public IP correctly in access.log, but all the IP information it should be seeing would be the routers private IP, wouldnt it?
Also when I check the headers in my network tab on the client, there is no X-Forwarded-For header, also there is no other reverse proxy(that i know of) that would be adding the header, definitely not one with the correct SSL certs to be able to do that.
Thanks
Because the router is translating the destination address of the incoming IP packets (towards your router's public IP) and translating them to have a destination address of your NGINX private IP address (when it forwards the packets onwards), leaving the origin address on the packets unmodified.
So only the destination address is modified, not the source (origin) address, which I believe is called DNAT.
The router can do this because it is able to track the connection internally, in its own NAT tracking table. Any packets coming back from NGINX can then be appropriately deNATed again outbound, once an initial connection inbound has been tracked and established.
This process preserves the source address, which is why NGINX knows what that is.