Setting the trusted proxies does not set real ips

[Nines63]

versions:
  shimmie: "2.12.0-alpha-20240630-8a8d78a"
  schema: 21
  php: "8.2.20"
  db: "sqlite 3.40.1"
  os: "Linux 3bc6e71bbe54 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64"
  server: "Unit/1.32.1"

extensions:
  core: ["admin","alias_editor","bbcode","comment","download","et","ext_manager","four_oh_four","handle_pixel","help_pages","image","index","media","mime","post_lock","post_owner","post_source","post_tags","replace_file","setup","static_files","system","tag_list","upgrade","upload","user","user_config","view"]
  extra: ["auto_tagger","autocomplete","blocks","blotter","browser_search","bulk_actions","bulk_download","bulk_parent_child","custom_html_headers","danbooru_api","downtime","emoticons","emoticons_list","favorites","featured","filter","forum","handle_video","home","image_hash_ban","image_view_counter","not_a_tag","pm","pools","rating","relationships","report_image","reverse_search_links","rss_comments","rss_images","site_description","source_history","tag_categories","tag_history","tag_tools","terms","trash","wiki"]
  handled_mimes: ["image/jpeg","image/gif","image/png","image/webp","video/x-ms-asf","video/x-msvideo","video/x-flv","video/x-matroska","video/mp4","video/ogg","video/quicktime","video/webm"]

stats:
  images: 265
  comments: 5
  users: 12

media:
  memory_limit: "8.0MB"
  disk_use: "88GB"
  disk_total: "439GB"

thumbnails:
  engine: "convert"
  quality: 80
  width: 170
  height: 170
  scaling: 100
  mime: "image/jpeg"

• Device: windows desktop
• Browser: Firefox

I am running Shimmie in a Docker container behind Nginx Proxy Manager. I set the trusted proxy ranges in the shimmie.cong.php file to every range of my reverse proxy docker container.

define("TRUSTED_PROXIES", [
    '192.168.0.0/16',
    '172.18.0.0/16',
    '172.19.0.0/16',
    '172.17.0.0/12',
    '10.0.0.0/8',
      ]);

I expected the real ip to appear in appear in my account as that would allow for ip bans Instead it's still showing the ip of the reverse proxy

These are all the headers added in the nginx config

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP      $remote_addr;
    proxy_pass       http://192.168.0.246:8008;

[shish]

I wonder if there's something more to this setup, because "Current IP: 172..." suggests that something inside the docker network is connecting to shimmie, but "proxy_pass http://192..." suggests that nginx is connecting to something on the local network but outside of docker.

Like my guess based only on those IP ranges would be that you have nginx running on the bare metal host, nginx then connects to some kind of docker proxy (which drops the x-real-ip header), which connects to shimmie?

Normally if nginx were running on the bare metal host and forwarding to docker I would expect proxy_pass to 127.0.0.1 - or if nginx in one docker container was forwarding to shimmie in another docker container, I would expect proxy_pass to 172.17.x.x

[Nines63]

I wonder if there's something more to this setup, because "Current IP: 172..." suggests that something inside the docker network is connecting to shimmie, but "proxy_pass http://192..." suggests that nginx is connecting to something on the local network but outside of docker.

Like my guess based only on those IP ranges would be that you have nginx running on the bare metal host, nginx then connects to some kind of docker proxy (which drops the x-real-ip header), which connects to shimmie?

Normally if nginx were running on the bare metal host and forwarding to docker I would expect proxy_pass to 127.0.0.1 - or if nginx in one docker container was forwarding to shimmie in another docker container, I would expect proxy_pass to 172.17.x.x

it's nginx proxy manger in a docker container that's connected to the shimmie container

also setting proxy_set_header X-Forwarded-For $remote_addr; in the reverse proxy gives me this error

[shish]

That is weird o_O The crash is because it's looking at the X-Forwarded-For header and finding something that isn't a valid IP address (according to filter_var)

1282 and #1283 should at least make this more debuggable -- if you're able to pull the latest code and check /system_info, what shows up under system info -> server -> REMOTE_ADDR / HTTP_X_FORWARDED_FOR / HTTP_X_REAL_IP ? (feel free to replace numbers with X's, but anything that's in there which isn't a number is probably important, whether that's whitespace or punctuation or letters)