realip for Caddy Docker container in bridged network

[qdm12]

Hi there,

I have a Caddy Docker container running in a standard bridged Docker network with gateway 10.0.0.1. Whenever a machine from the outside accesses Caddy, Caddy sees the IP as 10.0.0.1. I tried your plugin even with

realip {
  from 0.0.0.0/0
}

in the Caddyfile without success, the IP is still seen as the Docker network gateway 10.0.0.1. Is there any solution to this? I wrote a golang program which runs in a Docker container in that same network and finds the real IP, so I hope there is a solution. For now, my only ugly workaround is to have the Caddy Docker container in my host network with --net=host which I would like to avoid.

Thank you in advance !

[captncraig]

I'm not sure there is a way to do this in bridge mode. As I understand, it uses iptables to forward packets, and needs to rewrite the headers to do so. There is a NAT happening at the os level that I don't see a good way around. If you want the original ip, you need to either handle the packets directly (host mode) or use some kind of heavier overlay.

I wouldn't normally recommend host networking either, but in the case of your main load balancer, I think it's often best to go ahead and bind to 80/443 on the host directly.

I can't run your example right now because I'm mobile, but I'm not convinced from the source that it would work as you say. Are you sure it actually gets the remote ip?

[qdm12]

Hi and thanks for the quick reply !

I re-tested my Go program and it finds an IP address different than the gateway (or my server's public IP) when connecting to it with my phone mobile 3G network.

EDIT: This only finds a public IP address for 3G network devices in the X-Forwarded-For header. The X-Real-Ip is always empty and the remote address is always the Docker gateway 10.0.0.1. There is thus no way around as you pointed it out (a Moby issue). I will try to write some TCP level program to forward the IP and let you know if it works. Thanks !