使用haproxy docker访问nextcloud docker内的客户端ip
我有一个docker容器正在运行,我想在nextcloud docker日志中查看客户端的真实ip地址。但是目前我只能从haproxy容器中看到ip地址,我已经为添加了选项forwardfor,但它仍然不起作用 我的码头工人:使用haproxy docker访问nextcloud docker内的客户端ip,docker,ip-address,haproxy,nextcloud,fail2ban,Docker,Ip Address,Haproxy,Nextcloud,Fail2ban,我有一个docker容器正在运行,我想在nextcloud docker日志中查看客户端的真实ip地址。但是目前我只能从haproxy容器中看到ip地址,我已经为添加了选项forwardfor,但它仍然不起作用 我的码头工人: version: '3' services: db: image: linuxserver/mariadb restart: always environment: - MYSQL_ROOT_PASSWORD= - P
version: '3'
services:
db:
image: linuxserver/mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=
- PUID=100
- PGID=100
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=
volumes:
- /home/raspi/nextcloud-docker/volumen/mariadb/:/config
app:
image: nextcloud:apache
restart: always
volumes:
- /home/raspi/nextcloud-docker/volumen/nextcloud/:/var/www/html
environment:
- VIRTUAL_HOST=
- LETSENCRYPT_HOST=
- LETSENCRYPT_EMAIL=
- MYSQL_HOST=db
- OVERWRITEPROTOCOL=https
env_file:
- db.env
depends_on:
- db
networks:
- proxy-tier
- default
haproxy:
restart: always
image: haproxy:2.1.7
volumes:
- /home/raspi/nextcloud-docker/haproxy/config:/usr/local/etc/haproxy/
- /home/raspi/nextcloud-docker/haproxy/certs/haproxy/:/usr/local/etc/ssl/
ports:
- 8080:8080
networks:
- proxy-tier
depends_on:
- app
networks:
proxy-tier:
我的haproxy.cfg:
global
maxconn 50
tune.ssl.default-dh-param 2048
log stdout format raw local0
defaults
log global
mode http
timeout tunnel 1h
timeout http-request 1h
timeout connect 20s
option forwardfor
option http-server-close
frontend https
bind *:8080 ssl crt /usr/local/etc/ssl/website.org
http-request redirect scheme https code 301 if !{ ssl_fc }
default_backend nextcloud
timeout client 1h
backend nextcloud
server app1 app:80
timeout server 1h
nextcloud日志:
{"reqId":"GoyJSJ8Jl1xAUf9xARf6","level":2,"time":"2020-09-11T23:41:54+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
{"reqId":"A4n1pk3sU8Bsh0pkMjfB","level":2,"time":"2020-09-11T23:43:27+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo3 (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
如您所见,仅从haproxy容器获取ip地址。我已经补充了
选项将
转发到haproxy.cfg并添加
'trusted_proxies' => array('172.29.0.3'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
重新启动,但没有任何效果。我需要这个让fail2ban工作。
我缺少什么?我必须使代理层网络保持静态,以便我的网络看起来像这样:
networks:
proxy-tier:
ipam:
config:
- subnet: 174.20.0.0/24
而应用程序和haproxy容器我必须放上:
networks:
proxy-tier:
ipv4_address: 174.20.0.x
现在添加haproxy容器ip地址:
environment:
- TRUSTED_PROXIES=174.20.0.x
现在它工作了 您是否已验证
haproxy
是否设置了正确的x-forwarded-for
标题(例如,通过某种详细记录,或tcpdump
或其他方式)?您确定172.29.0.3
是正确的地址吗?每次打开compose堆栈时,haproxy容器可能会有不同的ip地址。好的,现在我做了一个tcpdump,如果我做了tcpdump-i any-s 0-a | grep x-forwarded-for
我会得到客户端ip地址。所以问题可能在nextcloud容器中……除非您的受信任的\u代理的值有问题。您是对的。这就是问题所在!现在它起作用了。