Getting client IP with Azure CLI - Dockerised nginx+Flask+Gunicorn

Question

I successfully configured a two image multi-container instance on the azure cloud, but in my nginx access logs I retrieve only what I think to be internal IPs (10.240.xxx.xx). This happens already after having implemented the real IP package for nginx.

My guess is that container instances are masked behind a common load balancer dedicated for the specific pool.

I instantiate the container instance through the command:

az container create

Here there is my default nginx configuration:

user  nginx;
worker_processes  1;

error_log  /preferred/path/nginx_error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format main '$proxy_add_x_forwarded_for - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent"' ;

    access_log /preferred/path/nginx_access.log main;

    sendfile        on;

    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;
}
daemon off;

and here my site configuration:

server {    
    listen 80;

    set_real_ip_from xxx.xx.xxx.x/xx;

    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    location / {        
        try_files $uri @proxy_to_app;
    }
    location @proxy_to_app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_redirect off;
        proxy_pass http://localhost:5000;
    }
}

I set the real IP from a cloudfare post. So far it seemed the most reliable and up to date.

Does anyone know what happens exactly? Is it possible anyhow to get the real client IP through any other header? It is also possible that there is something incorrect in the way I set up the real IP, but all the documentation I found online was rather confusing to me.

what do you mean exactly? As I wrote I use a container instance, if this answer your question. — Neo, Feb 20 '19 at 16:10
It's unclear what your setup is, can you share the CLI code you are using? Are you using Azure Container Instances? Is it something like this? https://azure.microsoft.com/en-us/blog/announcing-azure-container-instances/ — Ken W - Zero Networks, Feb 20 '19 at 17:52

score 0 · Answer 1 · answered Feb 21 '19 at 09:41

0

Well, you can make a quick understanding of Azure Container Instance from Azure Container Instances and container orchestrators.

Just like the Docker, the container has an IP, the host has an IP and there will be also a public IP to help the container to connect the Internet. While the underlying infrastructure for container instances is managed by Azure, you could know and just need to know the public IP for your container instance to connect.

All the things you can see from the CLI command show in the Azure Container Instance Template. For the IP, just the public IP could show to you.

answered Feb 21 '19 at 09:41

Charles Xu

29,862
2
22
39

I believe that there was a misunderstanding. The point is about the IP addrees which I receive from the exposed port through NGINX. NGINX is containeraised together with the application, into a multicontainer instance, so they share the same host and then can communicate through localhost. – Neo Feb 21 '19 at 12:57
@Neo Well, what do you mean with the real IP? The application container inside the container group? – Charles Xu Feb 21 '19 at 13:54
I want to retrieve the IP of the requests received from the outside of the instance. As I wrote, I receive always the same, which is either the IP of the NGINX itself (and then I did something wrong with the config) or is something related with the cloud. – Neo Feb 21 '19 at 13:59
@Neo The IP that you see is the host IP on my opinion. While the traffic from the outside of the container group just accesses the public IP of the container group. And then will route to the host IP. So that you see the IP just not change. – Charles Xu Feb 21 '19 at 14:15
let me refrase everything, what I want is the IP of the people trying to access the reverse proxy. I already know the IP of the instance itself. – Neo Feb 21 '19 at 15:05
@Neo I know what you want. But as I know you cannot achieve that. While all the traffic will be redirected from the underlying infrastructure that hosts container groups. Then all the traffic just come from one place -- the container host. – Charles Xu Feb 22 '19 at 07:59
I see. Thank you for your time. I will switch to another solution then. – Neo Feb 22 '19 at 16:01
@Neo Well, if the answer is helpful you can accept it. Or if you solve it you can add your answer for others who search this. – Charles Xu Feb 23 '19 at 03:40
@CharlesXu your explanatory comments are helpful, but your original answer was not answering the original question – Vince Bowdren Oct 29 '21 at 08:53

score 0 · Answer 2 · answered Feb 26 '19 at 17:54

it comes out that any CI (container instance) generated by azure is part of a bigger kubernetes cluster. Then it results impossible to access the real client IP due to a setting in the service automatically generated in the CI process. Indeed I could reproduce the behaviour into my own kubernetes cluster, and get the source IP through the following answer How to get client IP address from inside a Azure Kubernetes with a LoadBalancer service

Getting client IP with Azure CLI - Dockerised nginx+Flask+Gunicorn

2 Answers2