How to get the real IP address in the clients

[Waldorf3]

So my setup is as follows.

I have a Proxmox server with a number of virtual machines.

All virtual macines are interconnected with private IP addresses (like 10.10.10.x, with x essentially being the VMID)

One virtual machine additionally has a public ip address. It runs nginx-proxy-manager in docker, and receives the traffic on the public IP address, and forwards the traffice to the other virtual machines through the private IP addresses.

This works perfectly except the virtual machines all see the traffic (the IP) as coming from the nginx-proxy-manager.

I've spent hours now trying to get the real client IP address to appear in the access log files on the proxy clients, but nothing works.

So I tried leaving the customer nginx configuration (in the gui) empty, and I have tried adding the lines

set_real_ip_from  IP;
real_ip_header X-Forwarded-For;

With IP being both the public IP address and the private IP address. I tried other combinations I found here and elsewhere, but the bottom line is, nothing ever changes.

On the clients I also tried adding

                RemoteIPHeader X-Forwarded-For
                RemoteIPInternalProxy IP

Again with IP being both the private and the public IP on the nginx-proxy-server, but nothing changes anything.

Surely there must be one correct way to set this up? Is this documented somewhere? I haven't been able to find any, other than man discussions here, and that isn't always clear and usually different situations.

[gillescoolen]

Did you make any progress on the issue? Currently having the same problem, and the fix in this issue does nothing for me.

[naddang]

In my case, the issue was caused by trying to get X-Forwarded-For when it was not HTTPS.

[BuzzMoody]

Anyone got a fix for this?

[Crash1602]

My question is relevant to the topic, so I'm posting it here.

How can I forward the source IP for a TCP stream? Currently only the Docker Host IP is displayed on the upstream server, so i can´t use Autoblock-IP by failed logins.

Thank you very much.

[begunfx]

Synology workaround fix for this!

I found a solution for this if you are trying to run NPM (Docker) on a Synology. It seems that there are some pre-routing rules that need to be added to the Synology host for the IP addresses to report the client and not Docker.

I found this post with the solution:

https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

The short of it is you need to apply the following iptable rules on Synology (cli):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER

Only catch is that these changes will not sustain post reboot.

In order for that to happen you need to create a boot-up task in the task scheduler and add the script he created so that the rule changes are applied every startup.

I tested the rule changes and it seems I can now properly use the Access List and restrict access to local (LAN) only.
script and instructions here:

https://gist.github.com/pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9

[rardcode]

Hi @Waldorf3!

This works perfectly except the virtual machines all see the traffic (the IP) as coming from the nginx-proxy-manager.

I had the same problem.
After many researches and tests, this solution works for me:
Adding:
proxy_set_header X-Real-IP $remote_addr;
in Nginx Proxy Manager / Edit Proxy Host / Advanced / Custom Nginx Configuration.

I hope it can be useful. 👍