GitLab production_json.log file shows the remote_IP of the Docker bridge

[sreayunw]

Whether I set NGINX_REAL_IP_RECURSIVE to off or on, remote_IP in the gitlab production_json.log file shows the remote_IP of the Docker bridge

docker-compose.yml is :

version: '3.8'

services:
  redis:
    restart: always
    image: redis:6.0.8
    command:
    - --loglevel warning
    volumes:
    - /data/gitlab/redis:/var/lib/redis:Z
    ports:
    - "6379:6379"
    networks:
      - gitlab

  postgresql:
    restart: always
    image: sameersbn/postgresql:12-20200524
    volumes:
    - /data/gitlab/postgresql:/var/lib/postgresql:Z
    environment:
    - DB_USER=gitlab
    - DB_PASS=xxxxx
    - DB_NAME=gitlabhq_production
    - DB_EXTENSION=pg_trgm,btree_gist
    ports:
    - "5432:5432"
    networks:
      - gitlab

  gitlab:
    restart: always
    image: sameersbn/gitlab:13.9.4
    depends_on:
    - redis
    - postgresql
    ports:
    - "10080:80"
    - "10022:22"
    volumes:
    - /data/gitlab/gitlab:/home/git/data:Z
    - /data/gitlab/gitlab-log:/var/log/gitlab/gitlab:Z
    - /etc/hosts:/etc/hosts
    networks:
      - gitlab
    healthcheck:
      test: ["CMD", "/usr/local/sbin/healthcheck"]
      interval: 1m
      timeout: 5s
      retries: 30
      start_period: 20s
    environment:
    - DEBUG=false
    - RACK_ATTACK_WHITELIST=172.24.0.1

    - DB_ADAPTER=postgresql
    - DB_HOST=postgresql
    - DB_PORT=5432
    - DB_USER=gitlab
    - DB_PASS=xxxxx
    - DB_NAME=gitlabhq_production

    - REDIS_HOST=redis
    - REDIS_PORT=6379

    - TZ=Asia/Shanghai
    - GITLAB_TIMEZONE=Beijing

    - GITLAB_HOST=192.168.108.130
    - GITLAB_PORT=10080
    - GITLAB_SSH_PORT=10022
    - GITLAB_RELATIVE_URL_ROOT=
    - GITLAB_SECRETS_DB_KEY_BASE=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    - GITLAB_SECRETS_SECRET_KEY_BASE=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    - GITLAB_SECRETS_OTP_KEY_BASE=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

    - GITLAB_ROOT_PASSWORD=xxxxxxx
    - GITLAB_ROOT_EMAIL=xxxx@xxx.cn

    - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
    - GITLAB_NOTIFY_PUSHER=false

    - GITLAB_EMAIL=gitlab-robot@xxx.cn
    - GITLAB_EMAIL_REPLY_TO=noreply@xxx.cn
    - GITLAB_INCOMING_EMAIL_ADDRESS=reply@xxx.cn

    - GITLAB_BACKUP_SCHEDULE=daily
    - GITLAB_BACKUP_TIME=01:00

    - NGINX_REAL_IP_RECURSIVE=off

networks:
  gitlab:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.24.0.0/24

When I use git clone, I see that remote_ip in production_json.log is 172.24.0.1

{"method":"POST","path":"/test/aaa.git/git-upload-pack","format":null,"controller":"Repositories::GitHttpController","action":"git_upload_pack","status":200,"time":"2021-09-22T02:19:03.764Z","params":[{"key":"repository_path","value":"test/aaa.git"}],"remote_ip":"172.24.0.1","user_id":1,"username":"root","ua":"git/2.18.0.windows.1","correlation_id":"01FG5MS7VEC7GK32WCP78PPFVG","meta.user":"root","meta.project":"test/aaa","meta.root_namespace":"test","meta.caller_id":"Repositories::GitHttpController#git_upload_pack","meta.remote_ip":"172.24.0.1","meta.feature_category":"source_code_management","redis_calls":5,"redis_duration_s":0.003277,"redis_read_bytes":517,"redis_write_bytes":474,"redis_cache_calls":5,"redis_cache_duration_s":0.003277,"redis_cache_read_bytes":517,"redis_cache_write_bytes":474,"db_count":12,"db_write_count":1,"db_cached_count":1,"cpu_s":0.322721,"db_duration_s":0.03252,"view_duration_s":0.00107,"duration_s":0.33044}

can any one help me? thanks!

[kkimurak]

This is happen because you are using bridge network. Please take a look this: "Use host networking" on docker's documentation. Note that port mapping will be ignored - It means gitlab will be published on your host's 80 port, ssh port will be published on your host's 22 port. Others are the same

[sreayunw]

@kkimurak Thank you for your reply！But I don't think this has anything to do with bridge network mode，because I saw earlier in the documentation：https://github.com/sameersbn/docker-gitlab#available-configuration-parameters about parameter of "NGINX_REAL_IP_RECURSIVE"， and I wonder if it has something to do with this parameter。

and I need to use bridge network mode to expose 10080 and 10022 ports。So there's another way？

[sreayunw]

I refer to the following file https://github.com/sameersbn/docker-gitlab/blob/master/docker-compose.yml for operations, and I happen to need to expose ports 10080 and 10022

[kkimurak]

Docker network does not set any headers that nginx can receive. Containers cannot get real remote IP address. This is a problem of docker itself as far as I know. Please refer https://github.com/docker/roadmap/issues/157 .

The one of solution is to put everything in network_mode: host as far as I have researched. Running reverse proxy is another idea. Then set NGINX_REA_IP_RECURSIVE and NGINX_REAL_IP_TRUSTED_ADDRESSES correctly. I saw some people use jwilder/nginx-proxy (it seems to moved its namespace to nginx-proxy/nginx-proxy) with host mode network but I have never tested.