NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.06k stars 2.68k forks source link

IP address - Docker #112

Closed Rustymage closed 3 years ago

Rustymage commented 5 years ago

I've recently found this tool and use it on a docker image to point the outside world to some of my services. Some on Raspberry Pi's, some on a NUC.

This tool itself is running in the NUC.

What I've not understood is how to get the real IP address showing in those services. Currently it just shows me a docker IP address. An example is my Seafile service.

Is this a setting or line of code I'm missing? I'm not very experienced with docker so please be gentle!

Thanks in advance!

Rusty.

jc21 commented 5 years ago

It's not a docker issue really, it's a nginx issue. Nginx needs to know what forwarding ip's to ignore when trying to determine the client's real ip address. The project already handles this for common services like AWS and Cloudfare. Currently there's no UI way of adding more IP ranges to this list but I'll add this to the feature request backlog.

Rustymage commented 5 years ago

I'm running via Cloudflare so I'm a little confused why this isn't working then.

Any troubleshooting suggestions? Or have I missed your point?

Cheers!

vsc55 commented 4 years ago

Hi, @Rustymage, do you want the server behind the reverse proxy to see the client's real ip?

If this is I get it by adding this in the advanced settings of the Proxy Host in Nginx:

proxy_set_header Host  $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

And the server behind the reverse proxy is apache, adding this configuration I have achieved that both apache and php get the real ip of the client.

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy ip.server.proxy.inverse
MattKobayashi commented 4 years ago

Hey @jc21, any word on where this is at? I'm having a similar issue and trying to rewrite the headers as suggested by @vsc55 doesn't seem to be working for me.

Cosmonear commented 4 years ago

Hello @jc21 any news on this. I think it just need to add in the file "proxy.conf" this lines :

proxy_set_header Host  $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Because it worked for me before using NPM, when i used this container : https://github.com/linuxserver/docker-swag

jc21 commented 4 years ago

For the record, each proxy host already has these Nginx directives applied.

The IP ranges file defines some behaviour of Nginx in determining the value of the real IP header that it would send if you don't override it. Side note, this file should be empty in git and was committed with data by accident. The content of this file is immediately overwritten when the application is started (see this file) using the most current IP range lists from Cloudflare and Cloudfront.

Looking at the nginx docs for the real IP module I think the big problem here is the following:

real_ip_header X-Forwarded-For;

The default is X-Real-IP so might be better to leave it that way. I've made a docker build for this change but I'd like others to test it, without making any of those proxy_set_header definitions in your custom configuration for your host.

Anyone wanting to test can use this docker image:

jc21/nginx-proxy-manager:github-real_ip

In order to ensure that the Nginx configuration for your host is written, please edit your host and save it to trigger a re-write.

Note that this won't solve the initial enhancement, which is to allow a user-defined IP range for real IP determination.

techsolo12 commented 4 years ago

Hello @jc21,

i have tested the real ip build, but for me it don't worked. I builded the container and npm will work. Only the edit button do nothing. After a restart i have this error.

[10/22/2020] [6:43:11 PM] [Migrate ] › ℹ info Current database version: 20201014143841 [10/22/2020] [6:43:12 PM] [Global ] › ✖ error Command failed: pip3 install ERROR: You must give at least one requirement to install (see "pip help install") WARNING: You are using pip version 20.1.1; however, version 20.2.4 is available. You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.

So i upgraded pip with this command /usr/bin/python3 -m pip install --upgrade pip

Now i have this error: [10/22/2020] [6:48:33 PM] [Migrate ] › ℹ info Current database version: 20201014143841 [10/22/2020] [6:48:33 PM] [Global ] › ✖ error Command failed: pip3 install ERROR: You must give at least one requirement to install (see "pip help install")

At least with the real ip setting i don't see the real ip at host behind npm. Only the ip from npm.

jc21 commented 4 years ago

That pip error should not occur anymore. I've been testing and concluded that the changes coming to v2.6.2 will fix the x-real-ip value not being set for you

techsolo12 commented 4 years ago

@jc21 I can confirm that 2.6.2 forward the real ip, for me it works very well. Thanks you for yoiur support and your project!

Cosmonear commented 4 years ago

Thanks @jc21 I just installed it and tried it.

So, for me, it is not working... But a first step !

zeroone82 commented 3 years ago

Thanks @jc21 I just installed it and tried it.

  • Now in the logfile of NPM i have the cloudflare IP (which i use as proxy to my server) and not the IP of the client whereas before the 2.6.2 update i had the real client IP in the NPM logfile.
  • And now, in my dockers logfiles i have Cloudflare IP whereas i had the docker network gateway IP.

So, for me, it is not working... But a first step !

Same for me, I'm getting Cloudflare IPs on destination host even thought all IPs are in ip_ranges.conf

Rustymage commented 3 years ago

So I just tried the latest and the jc21/nginx-proxy-manager:github-real_ip images and I am getting Cloudflare IPs int he logs.

I have reverted to 2.6.0 & I now get the client IP again.

Rustymage commented 3 years ago

Going to close as I have the real IPs in the containers at this current moment. Thanks for the efforts!

Cosmonear commented 3 years ago

Well, if you close it, do we have to open another one for those issues ?

Thanks @jc21 I just installed it and tried it.

  • Now in the logfile of NPM i have the cloudflare IP (which i use as proxy to my server) and not the IP of the client whereas before the 2.6.2 update i had the real client IP in the NPM logfile.

  • And now, in my dockers logfiles i have Cloudflare IP whereas i had the docker network gateway IP.

So, for me, it is not working... But a first step !

SubrataM3 commented 3 years ago

I can confirm that this issue exists on 2.6.2 and reverting to 2.6.0 fixes this.

@jc21 Should we create a new issue for this as this issue is close?

blade1989 commented 1 year ago

I tried all of the above, including the links, but when I try to get the PHP variables for the server IP, I get the following, ips, instead of the real visitor IP.

$_SERVER['HTTP_X_REAL_IP'] | 172.19.0.1
$_SERVER['HTTP_X_FORWARDED_FOR'] | 172.19.0.1

I am running the latest version (2.10.2), updated to day, via docker compose(jc21/nginx-proxy-manager:latest), restart it multiple times, in the Advanced tab, added the real IPs header with the Cloudflare IPv4 and v6 ips, but no luck. The above variables remain unchanged. Adding real_ip_header CF-Connecting-IP; and or real_ip_header X-Forwarded-For; also didn't help.

Any help is greatly appreciated

Rustymage commented 1 year ago

What's your setup into NPM, what's the actual config you're pasting into the advanced config section and what do the logs say and where are they from?

Salamafet commented 1 year ago

On which system is docker running?

In my case (Synology), I have created prerouting rules on iptables to be able to view real client IP

sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
blade1989 commented 1 year ago

@Rustymage My current NPM configuration

Details

Scheme: http Forward Hostname / IP: IPv4 address Forward Port : 80

Cache Assets: enabled Block Common Exploits enabled Websockets Support enabled

Access List: Publicly Accessible

SSL

Force SSL: enabled HTTP/2 Support: enabled HSTS Enabled: disabled HSTS Subdomains: disabled

Advanced Custom NGINX Configuration

#Cloudflare
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
blade1989 commented 1 year ago

@Salamafet I am running Ubuntu 22.04.2 LTS. I have no firewalls configured, just a network firewall. Nothing on the server.

I am running docker rootless

Rustymage commented 1 year ago

I found this via some searching - https://github.com/moby/moby/issues/41789

It appears to be an issue with Docker rootless, rather than NPM.

iptoux commented 1 year ago

I found this via some searching - https://github.com/moby/moby/issues/41789

It appears to be an issue with Docker rootless, rather than NPM.

I run npm without docker in an lxc and @home and have same problems, all connections from outside shown as ip from npm client in my services instead the IP's from the visitors.

dalekcoffee commented 1 year ago

Just passing by and bumping as I have been trying to get NPM to pass real IPs to my wordpress site

Several tutorials followed, some did nothing, some broke my connection until I removed the advanced items

Wild to see this issue is from 2019

rake8288 commented 1 year ago

I'm also still seeing this, it doesn't affect me negatively at this time, but I really would like to see remote ip addresses associated with public connections to my services.

@jc21 this likely isn't high priority, but can you provide an update whether any work is planned or ongoing on this?

thornzz commented 1 year ago

same here its really critical for software developers like me :)

niallobr commented 1 year ago

On which system is docker running?

In my case (Synology), I have created prerouting rules on iptables to be able to view real client IP

sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER

In my case (Synology also) can confirm running this and adding the config originally posted by vsc55 into the Advanced tab of the Proxy Host in NPM solved the issue for me. Plex and Emby containers now see the remote client IP.

proxy_set_header Host  $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Thank you @Salamafet and @vsc55 for this solution

nubblesite commented 8 months ago

Any solution to this yet?

germanyague commented 2 months ago

I'm just dropping by here to leave a note that on Synology you also need to add your Docker bridge IP to the trusted proxies of Synology for this to work on Synology's own logs, here: Captura de pantalla 2024-09-11 a las 3 01 08 because if you edit directly cd /etc/nginx/nginx.conf, the DSM gets that table everytime you restart nginx with "synosystemctl restart nginx" nd any changes you may have made are lost.