ehazlett / interlock

Docker Event Driven Plugin System
Apache License 2.0
978 stars 130 forks source link

Real IP not forwarded to app container #174

Open dymat opened 8 years ago

dymat commented 8 years ago

Hi there!

I use interlock to manage serveral web apps on the same host.

For one app I need the real ip address of the visitor to be passed to the app container. But neither the reverse nginx nor the app container see the real ip. On both I get 172.18.0.1.

As I understand the nginx.conf.template the real ip should be forwarded...

Could it be a bug or is it just bad configured on my side?

Thanks in advance for any hint, ~D

Here's my configuration:

docker-compose.yml

version: "2"

services:
    interlock:
        image: ehazlett/interlock:1.2.0
        command: run -c /etc/interlock/config.toml
        ports:
            - 8080
        volumes:
            - ./config.toml:/etc/interlock/config.toml
            - ./nginx.conf.template:/etc/interlock/nginx.conf.template
            - /var/run/docker.sock:/var/run/docker.sock

    nginx:
        image: nginx:latest
        entrypoint: nginx
        command: -g "daemon off;" -c /etc/nginx/nginx.conf
        ports:
            - 80:80
            - 443:443
        labels:
            - "interlock.ext.name=nginx"
        links:
            - interlock:interlock
        depends_on:
            - interlock

        volumes:
            - /etc/letsencrypt/live/:/etc/letsencrypt/live/
            - /etc/letsencrypt/archive/:/etc/letsencrypt/archive/
        restart: always

    mysite:
        build: ./mysite/
        ports:
            - 80
        volumes:
            - ./mysite/html:/var/www/html
            - ./mysite/logs:/var/log/nginx
        labels:
            - "interlock.hostname=mysite"
            - "interlock.domain=de"
            - "interlock.alias_domain.1=www.mysite.de"
            - "interlock.alias_domain.2=www.mysite.com"
            - "interlock.alias_domain.3=mysite.com"
            - "interlock.ssl=true"
            - "interlock.ssl_cert=/etc/letsencrypt/live/mysite/fullchain.pem"
            - "interlock.ssl_cert_key=/etc/letsencrypt/live/mysite/privkey.pem"
        restart: always
        links:
            - db
    db:
        image: mariadb
        environment:
            - MYSQL_ROOT_PASSWORD=test
            - MYSQL_DATABASE=test
            - MYSQL_USER=test
            - MYSQL_PASSWORD=test
        volumes:
            - ./mysite/mysql:/var/lib/mysql
            - ./mysite/dbinit:/docker-entrypoint-initdb.d/

config.toml

ListenAddr = ":8080"
DockerURL = "unix:///var/run/docker.sock"

[[Extensions]]
Name = "nginx"
ConfigPath = "/etc/nginx/nginx.conf"
PidPath = "/var/run/nginx.pid"
TemplatePath = "/etc/interlock/nginx.conf.template"
BackendOverrideAddress = "172.17.0.1"
MaxConn = 1024
Port = 80
SSLPort = 443
NginxPlusEnabled = false

nginx.conf.template https://github.com/ehazlett/interlock/blob/master/docs/examples/nginx/nginx.conf.template.example

dymat commented 8 years ago

I had a look into the docker-compose logs again and found something strange that might be a hint.

This snippet logs one (and only one) site request. In all lines but one you see the docker-ip (172.17.0.1). In the 5th line suddenly my real IP appears.

nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET / HTTP/1.1" 200 15646 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET /js/jquery.min.js HTTP/1.1" 304 0 "http://mysite.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET /js/bootstrap.js HTTP/1.1" 304 0 "http://mysite.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET /css/bootstrap.css HTTP/1.1" 304 0 "http://mysite.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 95.90.<???>.45 - - [16/Jun/2016:12:36:54 +0000] "GET /css/app.css HTTP/1.1" 304 0 "http://mysite.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET /logo.svg HTTP/1.1" 304 0 "http://mysite.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"
nginx_1        | 172.17.0.1 - - [16/Jun/2016:12:36:54 +0000] "GET /header-980.jpg HTTP/1.1" 304 0 "http://mysite.com/css/app.css" "Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0" "-"

But when I use the TorBrowser it looks like this:

nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:58 +0000] "GET / HTTP/1.1" 200 15632 "-" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:58 +0000] "GET /css/app.css HTTP/1.1" 200 6822 "http://mysite.com/" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:58 +0000] "GET /js/jquery.min.js HTTP/1.1" 200 84380 "http://mysite.com/" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:58 +0000] "GET /js/bootstrap.js HTTP/1.1" 200 36868 "http://mysite.com/" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:58 +0000] "GET /css/bootstrap.css HTTP/1.1" 200 121260 "http://mysite.com/" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:59 +0000] "GET /logo.svg HTTP/1.1" 200 5728 "http://mysite.com/" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1        | 163.172.129.70 - - [16/Jun/2016:12:48:59 +0000] "GET /header-1024.jpg HTTP/1.1" 200 257441 "http://mysite.com/css/app.css" "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" "-"

Any idea or hint or further question is welcome.

Regards, ~D

EDIT: this logs come from a setup using interlock 1.1.0

ehazlett commented 8 years ago

Hmm this is odd. I thought we had it setup to pass the real IP. I will see if I can duplicate.