server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon gotify

Mixed IP addresses in the log behind nginx-proxy

Open rucksman opened this issue 1 year ago • 5 comments

I am running Gotify since quite a long time in a Docker container behind an nginx-proxy. Recently I often get banned from my fail2ban. This has never happend before, and I did not make any changes in both docker-compose files. I am on the most recent versions.

When I look into the gotify log (which is clearly the cause of the problem), I see mixed IP addresses, which confuses me. I see a lot of 172.xxx.xxx.xxx entries which originate from the nginx-proxy, but I also see normal IP addresses. I would expect to see only either the proxy address or the real addresses.

The problem is that the proxy address (172) is banned by fail2ban. and whitelisting the address is obviously not a good idea. So my goal would of course be to see only real addresses in the gotify log. Why is it that I see both proxy and real IP addresses in the log?

Honestly I am not sure if this is a gotify issue or a proxy issue, but I try my luck here first.

rucksman avatar Jul 30 '24 11:07 rucksman

@rucksman My first intuition is your gotify trusted proxies settings are too strict or too lax. Are the private IP addresses you see within the range of your trusted proxy setting?

Without looking at your actual setup I can't be sure what exactly is happening. If the above is not your case could you show:

  • the trusted proxies settings in gotify config
  • the NetworkSettings section of your nginx and gotify container with docker inspect
  • the docker-compose files for nginx and gotify

eternal-flame-AD avatar Jul 30 '24 15:07 eternal-flame-AD

I just discovered the (undocumented) setting trustedproxies in one of the commits. That seems to do the trick. Is there a variation of this setting as an environment variable in docker-compose.yml? I tried "GOTIFY_SERVER_TRUSTEDPROXIES", but that did not work.

rucksman avatar Aug 05 '24 22:08 rucksman

GOTIFY_SERVER_TRUSTEDPROXIES should work fine. I've updated the docs. Your original issue mentions that you get 172.x.x.x ips and normal ips. This shouldn't happen, you should receive either one or the other if the users are all routed through the reverse proxy.

jmattheis avatar Aug 25 '24 08:08 jmattheis

You need to put brackets around.

GOTIFY_SERVER_TRUSTEDPROXIES=[172.24.0.1]

https://gotify.net/docs/config

jmattheis avatar Sep 07 '24 08:09 jmattheis

Got it, somehow I overlooked that syntax and just blatantly assumed it would be just comma separated (like in other software, e.g. key cloak)

kirides avatar Sep 07 '24 12:09 kirides