passing correct ip via linked docker containers from nginx to jetty

Question

I have two docker container running, one is a nginx that accepts http and https requests and passes them to the other one which is a jetty container. I have noticed an issue since I switched to docker. I can't get the right request IP. The jetty application checks the request IP to ensure requests are coming from a particular server. In the Servlet I use following code to get the IP:

protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    ...
    String remoteIpAddress = request.getRemoteAddr();
    ...
}

But I then get the IP 172.17.0.x, which seems to be some IP from docker and not the expected IP from the requester.

My docker images are run with following params:

docker run -d --read-only --name=jetty -v /tmp -v /run/jetty jetty:9
docker run -d --read-only --name=nginx --link jetty:jetty -v /var/run -p 80:80 -p 443:443 nginx

The important part is the --link param, where I link the networking of jetty to nginx.

In the nginx config I have defined an proxy pass to jetty:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

and

location / {
    proxy_pass http://jetty:8080;
}

My question is: how do I get the right IP from the request and not the 127.17.0.x one?

what is the intent of checking the source IP addresses on the Jetty side? is it just to make sure requests come via the intended nginx reverse proxy, or is it to allow some users to do the requests (in that case you want to check the IP address of the HTTP client which made the request)? — Thomasleveil, Jan 11 '16 at 20:10
I have a whitelist of client IPs that are allowed to do requests. — Gering, Jan 11 '16 at 20:22

score 2 · Answer 1 · answered Jul 14 '19 at 16:26

The accepted answer seems rather weird for someone that is using the default Docker Jetty image, we should not be changing or uncommenting things manually like that.

Here is the way to derive a the Docker image that worked for me:

FROM jetty:9.4-jre11
COPY checkout/my-app/target/v.war /var/lib/jetty/webapps/v.war
RUN java -jar /usr/local/jetty/start.jar --create-startd --add-to-start=http-forwarded

The file /usr/local/jetty/etc/jetty-http-forwarded.xml, which adds the org.eclipse.jetty.server.ForwardedRequestCustomizer to the configuration, will be added to the jetty.start automatically.

score 1 · Accepted Answer · answered Jan 11 '16 at 20:19

If using Jetty 9, enable the ForwardRequestCustomizer

To do that ...

$ mkdir /path/to/jetty-base/etc
$ cp /path/to/jetty-dist/etc/jetty.xml /path/to/jetty-base/etc/
$ edit /path/to/jetty-base/etc/jetty.xml

Uncomment the lines

  <Call name="addCustomizer">
    <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
  </Call>

Start your ${jetty.base}

$ cd /path/to/jetty-base
$ java -jar /path/to/jetty-dist/start.jar

Done

Thank you, that is what I have missed – Gering Jan 11 '16 at 21:00 — Gering, Jan 11 '16 at 21:00

score 0 · Answer 3 · answered Jan 11 '16 at 20:13

When you do the request.getRemoteAddr(); you get the ip of the request, in this case the nginx running in docker.

The lines you added the in nginx config file add headers with the original ip, so the only thing you have to do is get the X-Real-IP header

passing correct ip via linked docker containers from nginx to jetty

3 Answers3

Linked