External IPs aren't being forwarded about docker-swag HOT 12 CLOSED

Thanks for opening your first issue here! Be sure to follow the issue template!

from docker-swag.

There is a lot of reasons for behavior. Two of them would be easy to spot if you followed the issue template(i know the link above is dead). Regardless you need to tell Nginx to this, using X-Forward-For header and the set_real_ip_from directive, this not done by default.

from docker-swag.

Taken from linuxserver/docker-nextcloud#130.

The following snippet sets the original IP addresses for all docker IP's. Edit it where needed (for your case, add an extra line set_real_ip_from 10.0.0.0/24; above real_ip_header) and put it inside the main server block in nginx/site-confs/default. Don't forget to restart the container.

# display real ip in nginx logs when connected through reverse proxy via docker network
set_real_ip_from 172.0.0.0/8;
real_ip_header X-Forwarded-For;

from docker-swag.

I am also having this problem. I cannot seem to fix it using those settings. What am I doing wrong here? the is my Default file. Running Windows 10 x64.

error_page 502 /502.html;

# redirect all traffic to https
server {
	listen 81 default_server;
	#listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	
	index ui3.htm;

	
	server_name _;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for geo blocking
	# See /config/nginx/geoip2.conf for more information.
	#if ($allowed_country = no) {
	#return 444;
	#}

	client_max_body_size 0;
        # 192.168.2.75 is the IP of the Nginx server. 
	set_real_ip_from 192.168.2.75;
        real_ip_header X-Forwarded-For;
	
	location / {
		#include /config/nginx/proxy.conf;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://192.168.2.75:81;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

}

from docker-swag.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from docker-swag.

It's probably an issue with Windows Subsystem for Linux and/or Docker on Windows x64. On my ARM board it's working perfectly.

from docker-swag.

I'm facing the same issue on a Synology DSM nas with docker. Deployed is the swag container with an stack file in portainer.

The idea of this swag container is great and also the way how it is set up is great. It worked all fine out of the box. I needed some minutes and the basic setupd was done. Just some modifications on fail2ban to support the legacy iptable from synology and it worked. But without knowing the real ip adress of my clients I can not use this as fail2ban would block all traffic and also nextcloud requires the real ip adresses.

I tried the following options so far but none of them work.

1. Set headers for X-Real IP and Forwarder

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

2. Add the recommended settings from @maartenbrakkee

# display real ip in nginx logs when connected through reverse proxy via docker network
set_real_ip_from 172.19.0.0/16;
real_ip_header X-Forwarded-For;

3. Set the required ports in host mode by adding this to the docker stack file:

ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host  

4. I even tried to disable the masquerade setting inside a network but this was also not working.

networks:
    swag:
       driver: bridge
       driver_opts:
           com.docker.network.bridge.enable_ip_masquerade: 'false'
       ipam:
           driver: default

Does anyone hase an idea how to solve this?

My docker file looks like this:

version: "3.7"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    hostname: swag
    networks:
      - backend
    dns:
       - 192.168.178.200
       - 8.8.8.8
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host        
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1041
      - PGID=65537
      - TZ=Europe/Berlin
      - URL=example.de      
      - SUBDOMAINS=www
      - VALIDATION=http
      - [email protected]
      - ONLY_SUBDOMAINS=false
      - STAGING=false
      - DOCKER_MODS=linuxserver/mods:swag-auto-reload|linuxserver/mods:universal-wait-for-internet
    volumes:
      - data:/config
      - certs:/config/etc
    restart: unless-stopped

networks:
  backend:
    external: true
    name: swag_backend

volumes:
  data:
     external: false
  certs:
     external: false

from docker-swag.

@flo-mic https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/ this fixed this issue on both our syno and qnap boxes.

from docker-swag.

@j0nnymoe thanks this was a good hint. Unfortunately the manual does not describe all required steps to get this working also with custom networks. For all who have the same issue, you can try the following. This is tested on a Synology DSM 916+ firmware v6.2.3

1. Open a ssh connection and edit the docker deamon.json file

sudo nano /var/packages/Docker/etc/dockerd.json

2. Add a new line with the following content "userland-proxy" : false (Make sure to add a "," at the end of the previous line othervise your json is invalid and the docker application is not more visible inside the Synologgy DSM).
3. Restart the docker deamon with the following command

sudo synoservice --restart pkgctl-Docker

4. Now follow the steps described in the link from j0nnymoe to configure the iptables. But use the script below because the provided one does not work on my system. https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

#!/bin/bash
currentAttempt=0
totalAttempts=10
delay=15

while [ $currentAttempt -lt $totalAttempts ]
do
	currentAttempt=$(( $currentAttempt + 1 ))
	
	echo "Attempt $currentAttempt of $totalAttempts..."
	
	result=$(iptables-save)

	if [[ $result =~ "-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT" ]]; then
		echo "Docker rules found! Modifying..."
		
		iptables -t nat -A PREROUTING ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
		iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
		
		echo "Done!"
		
		break
	fi
	
	echo "Docker rules not found! Sleeping for $delay seconds..."
	
	sleep $delay
done

from docker-swag.

I didn't have to do any of that for the IP's to show on my swag network on my syno and qnap.

from docker-swag.

hmm strange, I just noticed that I also had to customize the script as it was not working on system start (just updated my previous post). Quite interesting that the solution differs from Synology system to another. But anyway. If someone else has he issue he can test your and my solution and hopefully one of both works 😉

from docker-swag.

The @j0nnymoe solution worked for me on a DS920+ running DSM7.
Thank you !!!
For information, I was getting my router IP as $remote_addr (hence the geoip2 was still useless).
My router is a pfsense and I had to go to "System / Advanced / Firewall & NAT", then

• NAT Reflection mode for port forwards: Pure NAT
• Enable NAT Reflection for 1:1 NAT: enabled
• Enable automatic outbound NAT for Reflection: enabled

from docker-swag.