[modsecurity-crs-nginx] ERROLOG does not reflect REAL_IP_HEADER

[mhupfauer]

The nginx container does not properly reflect the REAL_IP_HEADER in the ERRORLOG file within property client_ip.

docker-compose.yml

environment:
   SET_REAL_IP_FROM: "0.0.0.0/0"
   REAL_IP_HEADER: "X-Forwarded-For"
   REAL_IP_RECURSIVE: "on"

waf.log (ERRORLOG)

[...] clientip: 192.168.44.2 

This is the internal IP of the public facing traefik container for SSL termination. The docker compose logs output formats the client ip properly in front of the error message.

With modsecurity-crs-apache and the following docker-compose it is working properly though.

docker-compose.yml

environment:
   REMOTEIP_INT_PROXY: "192.0.0.0/8"

[theseion]

Thanks for the report. If I understand you correctly, the log format should use $realip_remote_addr instead of $remote_addr (http://nginx.org/en/docs/http/ngx_http_realip_module.html#var_realip_remote_addr), correct?

[mhupfauer]

Yes, if the nginx log writes $remote_addr and this is ran behind a Traefik - which I think is a pretty common usecase - any logs will display the Traefik IP instead of the client IP. Parsing those logs in Fail2Ban is then impossible as it will ban the offending client