Closed jonathon2nd closed 10 months ago
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
First, update the configs mentioned in the log.
Then I recommend using https://github.com/linuxserver/docker-mods on your bookstack container, and if you're using SWAG as your reverse proxy, use the mod there as well.
oh I see, kinda glossed over that
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-default-location: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 911
User GID: 911
───────────────────────────────────────
using keys found in /config/keys
App Key found - setting variable for seds
Running config - DB_HOST set
Waiting for DB to be available
INFO Nothing to migrate.
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Fixed. Updated nginx config and default.conf and still no luck. Will look into what that docker-mod is and get back.
https://github.com/linuxserver/docker-bookstack#docker-mods
I am not seeing any Mods listed for Bookstack
Also checked here: https://mods.linuxserver.io/?mod=universal I am not seeing anything that would help with Nginx. I am also not using swag, the only image used is ghcr.io/linuxserver/bookstack:23.02.3
I think he meant to link https://github.com/linuxserver/docker-mods/tree/swag-cloudflare-real-ip
It's a "swag" mod but it will basically work for any container that uses nginx.
Aaaaaa, I understand.
It did not work though :(
[mod-init] Attempting to run Docker Modification Logic
[mod-init] Applying linuxserver/mods:swag-cloudflare-real-ip files to container
[mod-init] linuxserver/mods:swag-cloudflare-real-ip applied to container
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-default-location: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 911
User GID: 911
───────────────────────────────────────
using keys found in /config/keys
App Key found - setting variable for seds
Running config - DB_HOST set
Waiting for DB to be available
INFO Nothing to migrate.
[custom-init] No custom files found, skipping...
[ls.io-init] done.
root@bookstack-5564c5c769-j9jp9:/# cat /config/nginx/cf_real-ip.conf
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 169.254.1.1;
root@bookstack-5564c5c769-j9jp9:/# cat /config/nginx/nginx.conf
## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable
user abc;
# Set number of worker processes automatically based on number of CPU cores.
include /config/nginx/worker_processes.conf;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
http {
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /config/nginx/cf_real-ip.conf;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
include /config/nginx/resolver.conf;
# Don't tell nginx version to the clients. Default is 'on'.
server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 0;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off.
sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# all ssl related config moved to ssl.conf
# included in server blocks where listen 443 is defined
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
include /config/nginx/site-confs/*.conf;
}
daemon off;
pid /run/nginx.pid;
Audit log is still showing CF IP after pod reboot.
What reverse proxy are you using?
AH! I forgot about traefik on the k8s cluster :sweat_smile: Will update with needed plugin tomorrow and see where that leads.
Cloudflare is the proxy, but I need to make changes to traefik too it seems.
Welp, using a traefik plugin did not fix it. Still only seeing Cloudflare IP's.
Going from Cloudflare DNS+proxy -> Traefik on k8s cluster -> Ingress with plugin middleware -> Bookstack pod with Nginx
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.
I think I'm having the same issue, I haven't tried any docker mods though. The IP's showing in my audit log are all Cloudflare IP's. I'm using Nginx Proxy Manager, and in Cloudflare I have the record set to "proxy". This is the header I have set in nginx proxy manger proxy_set_header real_ip_header CF-Connecting-IP;
.
As a side note, this also seems to break the access lists in Nginx Proxy Manager, since the IP being passed to the proxy is a cloudflare IP, the allow/deny lists don't actually work, everything gets blocked. Might be more of a proxy issue than a bookstack issue.
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.
We do not test or suport K8S, traefik, or NPM. We have provided our input as best as we can but this is all outside of our support scope.
This issue is locked due to inactivity
Is there an existing issue for this?
Current Behavior
By setting APP_PROXIES="*" As stated here, I am able to see CloudFlare IP's but no nginx config changes I have made shows real IP in the log
Expected Behavior
I expect after setting
proxy_set_header X-Forwarded-For $http_CF_Connecting_IP;
in /config/nginx/site-confs/default.conf and /config/nginx/site-confs/default that it would work.Steps To Reproduce
APP_PROXIES="*"
to see CF IP instead of container IP.proxy_set_header X-Forwarded-For $http_CF_Connecting_IP;
in config files.Environment
CPU architecture
x86-64
Docker creation
Container logs