MediaWiki Docker image for Canasta, an all-in-one MediaWiki stack for easy deployment and management of enterprise-ready MediaWiki on production environments.
The reason is that by default the X-Forwarded-By by default being composed out of client and header values and thus the only way to remove it is to forcefully tell the Varnish to do so (or use another header like X-Real-IP generated by Caddy.
With current Apache configuration (when combined with Varnish) https://github.com/CanastaWiki/Canasta/blob/master/_sources/configs/mediawiki.conf#L29 the internal Docker gateway IP is being recorded into Apache access logs producing records like:
Where
X.X.X.X
is the client IP and the172.N.N.N
is the gateway IP. This is reproducible both with Caddy+Varnish https://github.com/CanastaWiki/Canasta-DockerCompose/blob/main/config/Caddyfile and solo Varnish https://github.com/CanastaWiki/Canasta-DockerCompose/blob/main/config/default.vcl configurations.The reason is that by default the
X-Forwarded-By
by default being composed out of client and header values and thus the only way to remove it is to forcefully tell the Varnish to do so (or use another header likeX-Real-IP
generated by Caddy.The best solution would be to use mod_real_ip https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html and set the internal IPs as proxies to make the Apache ignore these like it's done at Taqasta https://github.com/WikiTeq/Taqasta/blob/master/_sources/configs/mediawiki.conf#L30
It can be also a good idea to use
%a
instead of%h
in access log format to avoid accidental host resolves