Closed archont00 closed 5 years ago
I have rebuilt your nginx docker image --with-http_realip_module
and added
set_real_ip_from 172.0.0.0/8; # Ip/network of the reverse proxy (or ip received into REMOTE_ADDR)
real_ip_header X-Forwarded-For;
to /nginx/sites-enabled/nginx.conf of nextcloud. The docker IP should be a variable, though.
You shouldn't need the http_real_module
for displaying the real ip in the logs.
You can set the following settings in your nextcloud config (here it is a fixed ip-address, but you can also use a subnet):
'trusted_proxies' => array ('172.17.22.123', ),
'forwarded_for_headers' => array ('HTTP_X_FORWARDED_FOR', ),
Furthermore, you should not set the trusted subnet to 172.0.0.0/8. The private IP address range (starting with 172) is from 172.16.0.0
to 172.31.255.255
. So your CIDR-notation should be 172.16.0.0/12
.
Or if you don't use a lot of Docker services (or have other reasons), 172.17.0.0/16
is already enough.
More information about trusted_proxy
: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#all-other-configuration-options
Thanks for response, you're right re. the private IP range, I have limited the trusted IP to 172.18.0.0/16
now.
However, adding trusted proxy
to nexctloud config and removing the set_real_ip_from
and real_ip_header
from nginx in docker container does not work for me. I will try to investigate (I assume I will need to log the full headers in docker container).
Not sure what I did wrongly earlier, the proposed solution works fine for me now.
P.S. I limited the trusted_proxies
to a single IP address, which I set as a gateway in docker-compose.yaml in the network definition
Hi, As per https://help.nextcloud.com/t/real-ip-in-docker-behind-nginx-reverse-proxy/43917 the IP in nextcloud log is the IP of the docker rather that the original remote IP.
There is a proposed solution for apache web server used in the official docker, anyone know how to fix that with nginx like in hoellen/nexcloud docker?
BTW, I use nginx reverse-proxy on host with