nginx-proxy-manager
nginx-proxy-manager copied to clipboard
NginxProxyManager
Real IP addresses in the log?
Good day to everyone, looking for help, tips
In short, there is such a scheme of the home network
There is nothing between the router and NPM, just a direct port forwarding to the container with the NPM (192.168.0.200 80, 443).
Used docker-compose -
version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
container_name: nginx-proxy-manager
ports:
- '80:80'
- '443:443'
- '4488:81'
environment:
DB_HOST: "db"
DB_PORT: 5432
DB_USER: $(DB_USER)
DB_PASSWORD: $(DB_PASSWORD)
DB_NAME: $(DB_NAME)
DISABLE_IPV6: 'true'
X_FRAME_OPTIONS: "sameorigin"
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- db
healthcheck:
test: ["CMD", "/bin/check-health"]
interval: 10s
timeout: 3s
networks:
dockernet:
ipv4_address: 172.16.0.2
db:
image: 'postgres:13'
restart: unless-stopped
container_name: nginx-proxy-manager-db
environment:
POSTGRES_USER: $(POSTGRES_USER)
POSTGRES_PASSWORD: $(POSTGRES_PASSWORD)
POSTGRES_DB: $(DB_NAME)
volumes:
- pg-data:/var/lib/postgresql/data
networks:
dockernet:
ipv4_address: 172.16.0.3
volumes:
pg-data:
networks:
dockernet:
external: true
A network has been created
docker network create --subnet=172.16.0.0/24 dockernet
Hosts have been added to NPM, everything works fine, full Internet access to all resources
To view logs, I use goaccess (xavierh/goaccess-for-nginxproxymanager). But the whole problem is that only one client address appears everywhere in the log - 172.16.0.1 (takes information (parses) for display directly from the npm logs folder).
Is it possible on this configuration to ensure that the logs display the real addresses of connecting clients? All the options found on the Internet and suggested by chatgpt :) did not help me. It’s possible, of course, to configure the router settings, but I didn’t find anything suitable in the standard firmware...
You can add custom NGINX config to the proxy host so that it adds headers to pass through the correct IP to origin server. If you search issues (open/closed) you may find some examples.
But how to add a custom configuration to nginx itself, because the address 172.16.0.1 (gateway address) is displayed in its logs itself, and it makes no sense to add configurations to proxy hosts. Yes, I probably need an example, but I haven't found one yet. And is it possible, the Internet says that this is a limitation when deploying docker on Windows systems. Is it so?
Encountering this as well, just want to add: it's very unexpected that every service I proxy to sees only my router IP as the client IP. It would be great to have a simple option for proxy hosts to set these headers for convenience.
I fixed it just by adding this line:
real_ip_header X-Forwarded-For;
in the advanced section of the proxy host. At least it works for my usecase.
I'm not sure why real_ip_header is allowed to be set in the advanced section, but unfortunately there's no way to set that for every proxy host (the advanced config file for proxy servers throws an nginx error if you try, because the real_ip_header is already set in the base http server in the real_ip_header section)
A quick docker exec nginxproxymanager-container-name sed -i 's/real_ip_header X-Real-IP;/real_ip_header X-Forwarded-For;/' /etc/nginx/nginx.conf && docker restart nginxproxymanager-container-name fixes this, and fixes access lists not working with cloudflare as well.
I'm not sure why this bug is allowed to exist, it's pretty bad if you want to use the cloudflare proxy or generally get accurate IP addresses from your clients
was going crazy trying to figure out why access lists in nginxproxymanager just would never work.
found a few different ghi where you think oh its just bugs with it not applying config or how it applies it.. tried restarting or various other solutions but no go. eventually debug to find out that its: https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/nginx/nginx.conf#L68
thought maybe i could override by just doing custom/http_top.conf with "real_ip_header X-Forwarded-For;" but sadly wont work.
then found this ghi which was exact same issue, and can confirm the only fix is to go add it as advanced config for each proxy host. that way the actual real remote ip shows up and the acl work as expected.
@mxm199 Did you found any solution? I tried several options without success: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/674
This is clearly an issue that isn't be addressed:
https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/2587 https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/2596 https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/3523
https://www.reddit.com/r/nginxproxymanager/comments/1dgnzta/how_pass_through_real_ip_to_synology_nas/ https://www.reddit.com/r/nginxproxymanager/comments/19bftrv/real_client_ip/ https://www.reddit.com/r/nginxproxymanager/comments/18jyt3b/npm_pass_realip_to_unifi_controller/ https://www.reddit.com/r/nginxproxymanager/comments/101ajq7/npm_logging_and_forwarding_gateway_or_container/ https://www.reddit.com/r/nginxproxymanager/comments/15yuf7p/get_real_ip_from_clients_connecting_to_the/ https://www.reddit.com/r/nginxproxymanager/comments/163xm9r/remote_addr_isnt_my_external_ip/
I switched to docker-swag. More complex in some ways but easier to deploy from a git repo.
On Wed, Aug 21, 2024 at 17:03 chrecinos @.***> wrote:
This is clearly an issue that isn't be addressed:
#2587 https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/2587 #2596 https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/2596 #3523 https://github.com/NginxProxyManager/nginx-proxy-manager/discussions/3523
https://www.reddit.com/r/nginxproxymanager/comments/1dgnzta/how_pass_through_real_ip_to_synology_nas/ https://www.reddit.com/r/nginxproxymanager/comments/19bftrv/real_client_ip/
https://www.reddit.com/r/nginxproxymanager/comments/18jyt3b/npm_pass_realip_to_unifi_controller/
https://www.reddit.com/r/nginxproxymanager/comments/101ajq7/npm_logging_and_forwarding_gateway_or_container/
https://www.reddit.com/r/nginxproxymanager/comments/15yuf7p/get_real_ip_from_clients_connecting_to_the/
https://www.reddit.com/r/nginxproxymanager/comments/163xm9r/remote_addr_isnt_my_external_ip/
— Reply to this email directly, view it on GitHub https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3267#issuecomment-2302566534, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABV4BWLIHWI7JSJBVUPHEZTZSTB7JAVCNFSM6AAAAAA6DYGUOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBSGU3DMNJTGQ . You are receiving this because you commented.Message ID: @.***>
@chrecinos It doesn't work on docker for Windows. Something about how its networking works.
@leonida92 it doesn't work with macOS also, I guess it is because it creates some kind of virtualization instead of containerization with native GNU/Linux
Update: I just installed Proxmox and used this recipe to have the IP exposed: https://tteck.github.io/Proxmox/#nginx-proxy-manager-lxc
I'm not sure why real_ip_header is allowed to be set in the advanced section, but unfortunately there's no way to set that for every proxy host (the advanced config file for proxy servers throws an nginx error if you try, because the real_ip_header is already set in the base http server in the real_ip_header section)
A quick
docker exec nginxproxymanager-container-name sed -i 's/real_ip_header X-Real-IP;/real_ip_header X-Forwarded-For;/' /etc/nginx/nginx.conf && docker restart nginxproxymanager-container-namefixes this, and fixes access lists not working with cloudflare as well.I'm not sure why this bug is allowed to exist, it's pretty bad if you want to use the cloudflare proxy or generally get accurate IP addresses from your clients
For me, setting a global custom nginx configuration file setting it to X-Forwarded-For (to change it for all proxy hosts) didn't throw an error for me. It however threw an error if I set it to X-Forwarded-For for each proxy in the NPM web UI's advanced configuration, but when I removed it, it works.
Vocês conseguiram resolver? Até o momento nao consegui de forma alguma fazer trazer o IP REAL que originol o request. Sempre traz o ip do Load Balancer ( do Ingress do meu Docker Swarm ).
Nao quero instalar o NPM no meu Host, a ideia é continuar com ele no Cluster Docker Swarm.
Hello everyone, I run into the same issue, and I solved it like this:
npm:
image: jc21/nginx-proxy-manager:2.12.1
ports:
- "80:80"
- "443:443"
- "8090:81"
environment:
...
volumes:
- ${NFS_DOCKER_VOLUMES}/npm_volume/data:/data
- ${NFS_DOCKER_VOLUMES}/npm_volume/letsencrypt:/etc/letsencrypt
# Fixed by mounting it to this path.
- ./configs/server_proxy.conf:/data/nginx/custom/server_proxy.conf
My config file ./configs/server_proxy.conf:
# Required to pass the real client IP address to the backend services
real_ip_header CF-Connecting-IP;
Note: You can change CF-Connecting-IP with anything you want if needed.
any solution ? i am facing the same issue using the lastest release. none of the solutions provided above works for me.
I find it odd that so many people have trouble with this (including myself) and that there's no obvious single solution. There are dozens of solutions that 'work', but not one I have tried actually works. People talk about adding lines to the proxy host config, however that does absolutely nothing for me (while it seems to work for others?). Has anyone just found 1 solution that works for this?
Is this project still maintained?
There are very standard and expected ways to forward the client IP in a reverse proxy. I consider this a long-standing bug and it's not working as expected.
Can we find a universal solution, or provide an easy toggle to use the method we expect for all hosts or for each host if that's not possible? It's switching a couple config lines for the hosts, this doesn't seem insurmountable.
Thanks!
Is this project still maintained?
There are very standard and expected ways to forward the client IP in a reverse proxy. I consider this a long-standing bug and it's not working as expected.
Can we find a universal solution, or provide an easy toggle to use the method we expect for all hosts or for each host if that's not possible? It's switching a couple config lines for the hosts, this doesn't seem insurmountable.
Thanks!
It really seems like it should be very straightforward, however there are a million workarounds with limited success. Very strange tbh. I've tried all the solutions I can find, still not one that works. I have NPM forwarding host.domain to my Synology NAS running different services in Docker Containers, not one of which can see the host IP. They only show the Docker Container IP for NPM. Bout given up on this one.
Is this project still maintained?
There are very standard and expected ways to forward the client IP in a reverse proxy. I consider this a long-standing bug and it's not working as expected.
Can we find a universal solution, or provide an easy toggle to use the method we expect for all hosts or for each host if that's not possible? It's switching a couple config lines for the hosts, this doesn't seem insurmountable.
Thanks!
It really seems like it should be very straightforward, however there are a million workarounds with limited success. Very strange tbh. I've tried all the solutions I can find, still not one that works. I have NPM forwarding host.domain to my Synology NAS running different services in Docker Containers, not one of which can see the host IP. They only show the Docker Container IP for NPM. Bout given up on this one.
Consegui com a solução docker-ingress-routing-daem on-main Faz uma pesquisa, tem repositório git, pode aplicar esta que funcionará