3

I am running NGINX as part of a Docker package. It is both a webserver and a reverse proxy, and the container has PHP bundled in with it. The front-end web application is built with Laravel. There are some instances where I want to get the client's IP address, and this seems to a little problematic in some cases. This isn't for the proxy, but for the web application served with NGINX and PHP.

On my development system at home I am getting an IP for the docker network when connecting with a browser from my local machine.

$_SERVER['SERVER_ADDR'] = 172.19.0.10
$_SERVER['REMOTE_ADDR'] = 172.19.0.1

On a Digital Ocean Dev server it has:

$_SERVER['SERVER_ADDR'] 172.27.0.16
$_SERVER['REMOTE_ADDR'] 213.225.x.xx, which is Austria, my IP

and on a Production server elsewhere I think it has:

$_SERVER['SERVER_ADDR'] ???
$_SERVER['REMOTE_ADDR'] = The WAN IP for the office where the server is installed.

This isn't the client IP, but the WAN address for the office itself.

The server at that office is behind I think a WatchGuard or Fortigate router / Firewall.

So, the Digital Ocean Dev server is actually "OK". I have access to what I need, but the office setup probably isn't setup to forward the client ip to the server that runs on their internet ?

It isnt' critical currently, but it would be nice to be able to capture to public client IP in all cases.

I could do a little more investigation with log files, etc., but pretty sure I'll have to:

  1. Possibly configure something in my NGINX config

and/or

  1. Have someone configure the firewall to pass through the client IP because it seems like it isn't doing that currently, or I'm not capturing what it is sending.
SScotti
  • 2,158
  • 4
  • 23
  • 41
  • Check your headers for a [`Forwarded`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded) header or `X-Forwarded-For` header. Sometimes you may need to configure the proxy/firewall to include these headers – apokryfos Nov 13 '22 at 19:10
  • I think they are missing / not set. $_SERVER["HTTP_X_FORWARDED_FOR"] && $_SERVER["HTTP_CLIENT_IP"]. I am presuming that the router / firewall will have to configured to pass them through ? Regarding my local setup, it does seem a little weird that it is reporting an IP for the Docker network instead of the IP for my machine, like 127.0.0.1 or 192.168.xxx.xxx ? Is that related to my nginx.conf or docker-compose.yml setup ? – SScotti Nov 13 '22 at 19:24
  • https://stackoverflow.com/questions/11452938/how-to-use-http-x-forwarded-for-properly – SScotti Nov 13 '22 at 19:25
  • Use `print_r($_SERVER);` or something to have look of what's there. – Markus Zeller Nov 13 '22 at 19:25
  • I did that. I just rendered phpinfo() and looked at that. – SScotti Nov 13 '22 at 19:25
  • 1
    I think you would get a faster and "better" response if you ask this on [sf] – matiaslauriti Nov 13 '22 at 19:27

1 Answers1

3

The nginx proxy at the office can be configured to pass the client's IP address using the proxy_set_header directive.

The nginx reverse proxy docs here show an example:

location /some/path/ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://localhost:8000;
}

In the config block where the reverse proxy proxy_pass directive is set, adding proxy_set_header X-Real-IP $remote_addr; tells the proxy to inject a new HTTP header, X-Real-IP, with the IP address of the client. In the Laravel app, you can use this to get the actual client IP. In your application, make sure only to use this header when it can be trusted1.

This is necessary because the proxy is taking and re-sending the client's request via the proxy server from its own network address. The only way the application can get the original client IP for the request being proxied is if that IP address is passed in the headers by the proxy.

1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns

drew010
  • 68,777
  • 11
  • 134
  • 162