Real ip in nginx container

Question

I have docker container with nginx

nginx.conf

events {}

http {

    log_format custom '$remote_addr - $remote_user [$time_local] '
                                          '"$request" $status $body_bytes_sent '
                                          '"$http_referer" "$http_user_agent"';
    server {

        listen 80;

        access_log /var/log/nginx/access_combined_custom.log custom;

        location / {

            proxy_pass http://172.17.0.4:8789;
            proxy_set_header    X-Forwarded-Host   $host;
            proxy_set_header    X-Forwarded-Server $host;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto  $scheme;
            proxy_set_header    X-Real-IP          $remote_addr;
            proxy_set_header    Host               $host;
        }
    }
}

in access_combined_custom.log

172.17.0.1 - - [01/Aug/2023:12:25:27 +0300] "GET / HTTP/1.1" 200 8498 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"

How to force $remote_addr take real ip? (not docker gateway)

UPDATED

Reason is iptables: false in /etc/docker/daemon.json

Seems iptables should help (Can I obtain real user ip with "iptables": false enabled?) but i got error - "iptables v1.8.7 (nf_tables): no command specified" on "iptables -t nat -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE"

I've put iptables: true and restart service to get my iptables nat(iptables -t nat -L)

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.17.0.2:80

Unfortunately these commands dont work

iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE && \
iptables -t nat -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE

Real ip in nginx container

0 Answers0