netbox-docker icon indicating copy to clipboard operation
netbox-docker copied to clipboard
verified publisher icon netbox-community

Unit does not respect forwarded-ip when a proxy is in use

Open cpund opened this issue 1 year ago • 0 comments

Current Behavior

Following the recommended process per the wiki for setting up TLS (https://github.com/netbox-community/netbox-docker/wiki/TLS), I've noticed that when viewing docker logs (from Unit) that all external requests (not the healthchecks) are written as if coming from the proxy, instead of implementing the X-Forwarded-For header to correctly identify the true originator of the request.

Expected Behavior

The Unit configuration file should include the forwarded section. This would allow us to define the source proxy and then ensure that the X-Forwarded-For IP gets passed for proper logging, instead of just reporting the IP of the Caddy proxy server.

Docker Compose Version

Docker Compose version v2.29.1

Docker Version

Client: Docker Engine - Community
 Version:           27.1.1
 API version:       1.46
 Go version:        go1.21.12
 Git commit:        6312585
 Built:             Tue Jul 23 19:58:57 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.1.1
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.12
  Git commit:       cc13f95
  Built:            Tue Jul 23 19:57:11 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.19
  GitCommit:        2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc:
  Version:          1.7.19
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

The git Revision

27bf52cf3ea882324273fbabbf23f0af6a194f12

The git Status

On branch release
Your branch is up to date with 'origin/release'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   env/netbox.env
        modified:   env/postgres.env
        modified:   env/redis-cache.env
        modified:   env/redis.env

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        Caddyfile
        Dockerfile-Local
        docker-compose.override.yaml
        env/netbox.env.old
        local_requirements.txt
        netbox.key

no changes added to commit (use "git add" and/or "git commit -a")

Startup Command

docker compose up -d

NetBox Logs

netbox-1  | ↩️ Skip creating the superuser
netbox-1  | 🧬 loaded config '/etc/netbox/config/configuration.py'
netbox-1  | 🧬 loaded config '/etc/netbox/config/extra.py'
netbox-1  | 🧬 loaded config '/etc/netbox/config/logging.py'
netbox-1  | 🧬 loaded config '/etc/netbox/config/netbox.py'
netbox-1  | 🧬 loaded config '/etc/netbox/config/plugins.py'
netbox-1  | ✅ Initialisation is done.
netbox-1  | ⏳ Waiting for control socket to be created... (1/10)
netbox-1  | 2024/10/08 03:59:25 [warn] 8#8 Unit is running unprivileged, then it cannot use arbitrary user and group.
netbox-1  | 2024/10/08 03:59:25 [info] 8#8 unit 1.33.0 started
netbox-1  | 2024/10/08 03:59:25 [info] 101#101 discovery started
netbox-1  | 2024/10/08 03:59:25 [notice] 101#101 module: python 3.12.3 "/usr/lib/unit/modules/python3.12.unit.so"
netbox-1  | 2024/10/08 03:59:25 [info] 8#8 controller started
netbox-1  | 2024/10/08 03:59:25 [notice] 8#8 process 101 exited with code 0
netbox-1  | 2024/10/08 03:59:25 [info] 103#103 router started
netbox-1  | 2024/10/08 03:59:25 [info] 103#103 OpenSSL 3.0.13 30 Jan 2024, 300000d0
netbox-1  | ⚙️ Applying configuration from /etc/unit/nginx-unit.json
netbox-1  | 2024/10/08 03:59:27 [info] 114#114 "netbox" prototype started
netbox-1  | 2024/10/08 03:59:27 [info] 115#115 "netbox" application started
netbox-1  | ✅ Unit configuration loaded successfully
netbox-1  | 2024/10/08 03:59:28 [notice] 8#8 process 99 exited with code 0
netbox-1  | 2024/10/08 03:59:31 [info] 149#149 "netbox" application started
netbox-1  | ::1 - - [08/Oct/2024:03:59:37 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:03:59:45 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:03:59:47 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:00:03 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:07 +0000] "GET / HTTP/1.1" 200 122669 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:07 +0000] "GET /static/setmode.js?v=4.1.3 HTTP/1.1" 200 1314 "https://netbox.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:07 +0000] "GET /static/netbox-external.css?v=4.1.3 HTTP/1.1" 200 367160 "https://netbox.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:07 +0000] "GET /static/netbox.css?v=4.1.3 HTTP/1.1" 200 554378 "https://netbox.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:07 +0000] "GET /static/netbox.js?v=4.1.3 HTTP/1.1" 200 389845 "https://netbox.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | 172.18.0.6 - - [08/Oct/2024:04:00:08 +0000] "GET /core/changelog/?per_page=25&embedded=True HTTP/1.1" 200 21370 "https://netbox.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
netbox-1  | ::1 - - [08/Oct/2024:04:00:18 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:00:33 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:00:48 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:01:03 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:01:18 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"
netbox-1  | ::1 - - [08/Oct/2024:04:01:33 +0000] "GET /login/ HTTP/1.1" 200 3710 "-" "curl/8.5.0"

Content of docker-compose.override.yml

services:
  netbox:
    restart: unless-stopped
    image: netbox:latest-local
    healthcheck:
      timeout: 3s
      interval: 15s
      test: "curl -f -H 'Host: netbox.example.com' http://localhost:8080/login/ || exit 1"
    environment:
      SKIP_SUPERUSER: "true"
      SUPERUSER_API_TOKEN: ""
      SUPERUSER_EMAIL: ""
      SUPERUSER_NAME: ""
      SUPERUSER_PASSWORD: ""
    build:
      context: .
      dockerfile: Dockerfile-Local
  netbox-worker:
    restart: unless-stopped
    image: netbox:latest-local
  netbox-housekeeping:
    restart: unless-stopped
    image: netbox:latest-local
  postgres:
    restart: unless-stopped
  redis:
    restart: unless-stopped
  redis-cache:
    restart: unless-stopped
  tls:
    image: caddy:2-alpine
    depends_on:
      - netbox
    volumes:
      - /etc/pki/tls/certs/netbox_bundle.pem:/etc/ssl/private/cert.crt:ro,z
      - /etc/pki/tls/private/netbox.key:/etc/ssl/private/key.key:ro,z
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
    ports:
      - "80:80"
      - "443:443"

cpund avatar Oct 08 '24 04:10 cpund