ledgersmb-docker icon indicating copy to clipboard operation
ledgersmb-docker copied to clipboard
verified publisher icon ledgersmb

Documentation is unclear about both the purpose of PROXY_IP and it's proper value

Open auspex opened this issue 10 months ago • 3 comments

docker-compose.yml says:

      # The PROXY_IP environment variable lets you set the IP address
      # (range) of the reverse proxy used for TLS termination, which forwards
      # its requests to this container. When this reverse proxy runs on the
      # Docker host, the default below applies. In case the reverse proxy is
      # hosted in a separate container, this setting needs to be adjusted.
      #
      # PROXY_IP: 172.17.0.1/12

Now, for ages I looked at that and thought "172.17.0.1/12 looks as if it covers any IP that docker will assign, so I'm not sure why it would ever need to be changed for 'a separate container'".

Then I realized that the proxy is always going to be in a container separate from LedgerSMB! I think this would more reasonably be "In case your proxy is outside this docker host…"

auspex avatar Mar 07 '25 22:03 auspex

Hi,

Thanks for the report. If no PROXY_IP is set, the logs will include the IP address of the proxy instead of the IP address of the client connecting to the proxy. If the proxy is on the Docker Host (i.e. outside the container, but on the same host), the value of 172.17.0.1 is what is generally used (it's the host's IP address of the default Docker bridge). That is what the documentation intends to convey. If there's a different proxy elsewhere in the network, you may need to set a different IP address.

Given this explanation, do you have a suggestion for the wording of in the docker-compose file?

Regards,

Erik.

ehuelsmann avatar Mar 23 '25 20:03 ehuelsmann

@neilt, you usually have good insights on documentation. Any suggestions?

ehuelsmann avatar Mar 24 '25 20:03 ehuelsmann

I looked at this several times and I'm not sure what the OP is on about. The OPs suggested quote is already the last sentence of the existing comment.

@ehuelsmann comment above is more confusing to me. It seems that setting the PROXY_IP has multiple uses.

  1. Used to the set the logging IP (proxy or client). So there is value in setting the value at 172.17.0.1 even though that is essentially the same default as this changes what is logged? If this is correct, then this seems like a POLA violation as I would never think to set the value manually when the default seems correct.
  2. Used to set the proxy address when it is not on the same host so it is not essentially the same as the default. Does this also change the logging from IP address to client? If so, how do you set the logging back to log the proxy and not the client in this case?

neilt avatar Apr 01 '25 11:04 neilt

  1. Used to the set the logging IP (proxy or client). So there is value in setting the value at 172.17.0.1 even though that is essentially the same default as this changes what is logged? If this is correct, then this seems like a POLA violation as I would never think to set the value manually when the default seems correct.

@neilt there is no value in seeing the variable to the default: if unset, that's exactly what the container start up proces will do.

2. Used to set the proxy address when it is not on the same host so it is not essentially the same as the default. Does this also change the logging from IP address to client? If so, how do you set the logging back to log the proxy and not the client in this case?

By setting it to an empty value or by setting it to an address that won't be used by the proxy, e.g. "localhost".

ehuelsmann avatar Jun 30 '25 05:06 ehuelsmann

I don't see the issue. The comment looks fine to me as it stands.

@auspex If I missed understood, please feel free to re-open this issue, but please propose a complete rewording of the comment in question. Thank you.

neilt avatar Jun 30 '25 12:06 neilt