Real IP behind nginx proxy

[archont00]

Hi, As per https://help.nextcloud.com/t/real-ip-in-docker-behind-nginx-reverse-proxy/43917 the IP in nextcloud log is the IP of the docker rather that the original remote IP.

{"reqId":"MMdMqOvTwJ04LKO14hCj","level":2,"time":"2019-03-03 15:21:21","remoteAddr":"172.18.0.1","user":"--","app":"core","method":"POST","url":"\/login?redirect_url=\/settings\/user","message":"Login failed: 'sadf' (Remote IP: '172.18.0.1')","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:65.0) Gecko\/20100101 Firefox\/65.0","version":"15.0.5.3"}

There is a proposed solution for apache web server used in the official docker, anyone know how to fix that with nginx like in hoellen/nexcloud docker?

BTW, I use nginx reverse-proxy on host with

location / {                                                            
    proxy_set_header        Host              $host;                      
    proxy_set_header        X-Real-IP         $remote_addr;               
    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for; 
    proxy_set_header        X-Forwarded-Proto $scheme; 

    proxy_pass              http://localhost:8010;                        
    proxy_buffering         off;                                          
    proxy_read_timeout      360s;                                         
    proxy_redirect          default;                                      
  } 

[archont00]

I have rebuilt your nginx docker image --with-http_realip_module and added

set_real_ip_from 172.0.0.0/8; # Ip/network of the reverse proxy (or ip received into REMOTE_ADDR)
real_ip_header X-Forwarded-For;

to /nginx/sites-enabled/nginx.conf of nextcloud. The docker IP should be a variable, though.

[hoellen]

You shouldn't need the http_real_module for displaying the real ip in the logs. You can set the following settings in your nextcloud config (here it is a fixed ip-address, but you can also use a subnet):

'trusted_proxies' => array ('172.17.22.123',  ),
'forwarded_for_headers' => array ('HTTP_X_FORWARDED_FOR',  ),

Furthermore, you should not set the trusted subnet to 172.0.0.0/8. The private IP address range (starting with 172) is from 172.16.0.0 to 172.31.255.255. So your CIDR-notation should be 172.16.0.0/12. Or if you don't use a lot of Docker services (or have other reasons), 172.17.0.0/16 is already enough.

More information about trusted_proxy: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#all-other-configuration-options

[archont00]

Thanks for response, you're right re. the private IP range, I have limited the trusted IP to 172.18.0.0/16 now. However, adding trusted proxy to nexctloud config and removing the set_real_ip_from and real_ip_header from nginx in docker container does not work for me. I will try to investigate (I assume I will need to log the full headers in docker container).

[archont00]

Not sure what I did wrongly earlier, the proposed solution works fine for me now.

P.S. I limited the trusted_proxies to a single IP address, which I set as a gateway in docker-compose.yaml in the network definition