3

With the following setup:

enter image description here

only the YARP container has published ports. It correctly sets the X-Forward* headers for other containers to use. But unfortunately it's the docker compose gateway address.

When I want to log the (public) client's IP address, I get ::ffff:172.18.0.1 which is the docker compose gateway IP address. Somehow I need to tell docker to put the public IP address in the X-Forward-For header which then will be used by my reverse proxy.

My containers run inside their own network:

services:
  yarp:
    ...
    networks:
      - mynet

I can see the created network:

$ docker network ls
NETWORK ID     NAME                                      DRIVER    SCOPE
2bf19f507987   dockercompose1502733..._mynet             bridge    local

and to see the details:

$ docker network inspect 2bf
[
  {
    "Name": "dockercompose1502733..._mynet",
    "Id": "2bf...",
    "Created": "...",
    "Scope": "local",
    "Driver": "bridge",
    "EnableIPv6": false,
    "IPAM": {
      "Driver": "default",
      "Options": null,
      "Config": [
        {
          "Subnet": "172.18.0.0/16",
          "Gateway": "172.18.0.1" // this is the address I get for public requests
        }
      ]
    },
    "Internal": false,
    "Attachable": true,
    "Ingress": false,
    "ConfigFrom": {
      "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {
      "b82645911...": {
        "Name": "YARP",
        "EndpointID": "fb1b...",
        "MacAddress": "02:42:ac:...",
        "IPv4Address": "172.18.0.10/16",
        "IPv6Address": ""
      },
      ...
    },
    "Options": {},
    "Labels": {
      "com.docker.compose.network": "mynet",
      "com.docker.compose.project": "dockercompose1502733...",
      "com.docker.compose.version": "1.29.2"
    }
  }
]
Parsa99
  • 307
  • 1
  • 13
  • What is docker compose gateway? I can't find a reference to that anywhere. – davidfowl Aug 26 '22 at 04:46
  • Just to be clear, are you saying YARP is setting the X-Forward-For header to the wrong value? – davidfowl Aug 27 '22 at 17:25
  • No as far as I understand YARP is working fine. It gets the `::ffff:172.18.0.1` IP address from docker and puts this value in the `X-Forward-For` for others to use. The question is how can I access the client's public IP address (which is lost inside the docker-compose network)? – Parsa99 Aug 29 '22 at 04:30
  • `::ffff:172.18.0.1` is the [Pv4-mapped IPv6 address](https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) notation of the gateway which is a bit weird. Do you want to run this setup with IPv4-only or also with IPv6? For IPv4 `docker` should already configure the network correctly, for IPv6 some additional manual configuration is needed to work as expected. Also, you did test this with a connection from another device and not just from the host itself using `http://localhost`? – acran Nov 30 '22 at 10:59

1 Answers1

0

You could do network_mode: host for the reverse proxy service: https://docs.docker.com/compose/compose-file/#network_mode

Be mindful though, because:

host: which gives the container raw access to host’s network interface

It looks like this is your only solution: https://github.com/docker/roadmap/issues/157

I assume this is a production workload, you might be better off migrating to kubernetes where you certainly will face other set of problems :) but this one is not a problem at least with ingress-nginx I was able to configure it.

zsolt
  • 1,233
  • 8
  • 18
  • https://stackoverflow.com/questions/74596620/docker-compose-changing-the-network-mode-to-host-results-in-error-error-res – Parsa99 Nov 28 '22 at 06:10
  • @Parsa99 you will need to drop `networks: mynetwork` from "gateway" container and use `network_mode: host` instead so it can use the network of the host. After that you need to forward ports of the other containers to the host that you want to reach from the "gateway" container – zsolt Nov 29 '22 at 08:27