Remote address overwritten when deploying docker images
Hi, I have a docker image containing angular SPA and nginx. NGINX is configured to pass the remote addr from cloudflare, so that I can see the real ip in the nginx logs. My problem is, that docker overwrites the remote addr, so that in NGINX I'm seeing the docker network's gateway IP and not the real remote addr. Normally network=host solves the issue, when running a docker container. Is there a way to pass that docker run parameter to railway app?
Thanks. 😃
Solution:Jump to solution
now that you're mentioning it, perhaps I need to trust the railway proxy ips too
38 Replies
Project ID:
71de5038-f8d1-4214-81d4-290481deb48371de5038-f8d1-4214-81d4-290481deb483
you would need to have nginx trust the applicable header that cloudflare sets
https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip
I've already done that. It didn't help, because I'm deploying a docker image and docker changes it.
https://forums.docker.com/t/docker-overrides-remote-addr-and-forwarded-for-headers-to-the-bridge-network-ip/138485
Docker Community Forums
Docker overrides remote_addr and forwarded_for headers to the bridg...
As described in the title and in numerous posts on github and the docker community forums nginx is unable to fetch and log in the access.log the original requesting ip and the remote_addr and forrwarded_for headers are always equal to the docker network’s ip. Is there any progress on rectifying this issue besides “hacky” approaches posted year...
I'm sorry but docker is not overriding the
CF-Connecting-IP header that cloudflare is setting, you have the wrong idea thereno docker overwrites the $remote_addr after I've set it with the value from CF-Connecting-IP with nginx. I can reproduce this behaviour locally.
that would be down to a misconfiguration. instead, I highly recommend caddy.
with caddy you can very easily set the header to that of what cloudflare sets
https://caddyserver.com/docs/caddyfile/options#client-ip-headers
and then set the trusted ips to accept the header from
https://caddyserver.com/docs/caddyfile/options#trusted-proxies
https://www.cloudflare.com/en-gb/ips/
I have a few example Caddyfiles and straightforward methods to serve your app with caddy, so let me know if you're interested in that!
I don't have a problem with the configuration, because I'm seeing the value from cloudflare. My problem is that I'm not able to setup a network for my docker image on railway, the way I can set it up locally, by passing --net=host when I run the container.
in NGINX I'm seeing the docker network's gateway IP and not the real remote addr
I don't have a problem with the configuration, because I'm seeing the value from cloudflareim confused, can you or can you not see the correct ip in your logs?
No, I can't see the correct IP in my logs.
then why was this said?
I'm seeing the value from cloudflareyou are giving very conflicting information
that is my problem. and the solution that I've figured out locally was to setup my docker differently. hence the question - is it possible to do that on railway as well
of course not, but with the correct configuration there would be no need to
ok, and what would be the correct configuration for my case - nginx + angular2 in a docker image?
I've already set up remote ip mod for nginx and it's working on my local machine
but only if I add --net=host to docker run
what ip are you seeing then?
127.0.0.1
yeah thats definitely a misconfiguration, id be happy to help you get this setup with caddy!
I'm not familiar with caddy, is there no example for nginx?
i dont either of us are too familiar with nginx, i only have examples for caddy, so ill try to get a proof of concept working with caddy
ok, thanks. I don't think I would be using caddy now. I'll try and figure out a way with nginx.
caddy is pretty simple, may i ask why the want to use nginx instead? its config is obviously giving you a bit of troubles
because I don't want to switch to yet another new technology and also I'm not convinced that this is a web server/reverse proxy configuration issue, since I'me getting a result by running docker differently.
i assure you this isnt down to railway doing anything incorrectly
I'm not suggesting that. I just need to understand how railway handles docker networks.
by default docker uses bridge network
im not seeing how docker comes into play here as long as your configurations are correct, your app sits behind a proxy on railway, and then another proxy from cloudflare, you simply need to trust the local ips and cloudflares ips, then pull the client ip from the header that cloudflare sets
Docker Community Forums
Docker overrides remote_addr and forwarded_for headers to the bridg...
As described in the title and in numerous posts on github and the docker community forums nginx is unable to fetch and log in the access.log the original requesting ip and the remote_addr and forrwarded_for headers are always equal to the docker network’s ip. Is there any progress on rectifying this issue besides “hacky” approaches posted year...
cloudflare -> docker network -> nginx -> docker container
in docker network happens the thing that's descriped in the post
cloudflare -> railway proxy -> nginx (your app)
yes railway proxy also somewhere in between, but I'm sure railway is passing headers correctly. I'm seeing that.
what's messing the headers is the docker network I think
why not just straight log the header?
please remove this notion of the docker network causing you issues, i get that you can change it locally and have it work, but with the correct configurations you do not need to change the network.
again, i am still offering you a drop in pre-made solution with caddy.
with caddy, logging the client ip thats set by cloudflare is as simple as a 1 line config
exactly the same thing I'm doing in nginx
set_real_ip_from
...
trusted ips
...
real_ip_header cf-connecting-ip;
real_ip_recursive on;
🙂
what ips are you trusting?
Solution
now that you're mentioning it, perhaps I need to trust the railway proxy ips too
I thought you where already doing that, my bad
In the end it worked by trusting the railway IPs. However the really ngx_http_realip_module didn't store the value where it says in the documentations it would. Instead in realip_remote_addr it was stored in $remote_addr. It took me also some time to figure this out. Very strange.
Thank you for talking to me. It helped clearing up the the issue. 😀
happy to help where I can!