Fatal编程技术网
  • docker/
  • 使用haproxy docker访问nextcloud docker内的客户端ip

使用haproxy docker访问nextcloud docker内的客户端ip

docker

使用haproxy docker访问nextcloud docker内的客户端ip,docker,ip-address,haproxy,nextcloud,fail2ban,Docker,Ip Address,Haproxy,Nextcloud,Fail2ban,我有一个docker容器正在运行,我想在nextcloud docker日志中查看客户端的真实ip地址。但是目前我只能从haproxy容器中看到ip地址,我已经为添加了选项forwardfor,但它仍然不起作用 我的码头工人: version: '3' services: db: image: linuxserver/mariadb restart: always environment: - MYSQL_ROOT_PASSWORD= - P

我有一个docker容器正在运行,我想在nextcloud docker日志中查看客户端的真实ip地址。但是目前我只能从haproxy容器中看到ip地址,我已经为添加了选项forwardfor,但它仍然不起作用

我的码头工人:

version: '3'

services:
  db:
    image: linuxserver/mariadb
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=
      - PUID=100
      - PGID=100
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=
    volumes:
      - /home/raspi/nextcloud-docker/volumen/mariadb/:/config

  app:
    image: nextcloud:apache
    restart: always
    volumes:
      - /home/raspi/nextcloud-docker/volumen/nextcloud/:/var/www/html
    environment:
      - VIRTUAL_HOST=
      - LETSENCRYPT_HOST=
      - LETSENCRYPT_EMAIL=
      - MYSQL_HOST=db
      - OVERWRITEPROTOCOL=https
    env_file:
      - db.env
    depends_on:
      - db
    networks:
      - proxy-tier
      - default

  haproxy:
    restart: always

    image: haproxy:2.1.7
    volumes:
      - /home/raspi/nextcloud-docker/haproxy/config:/usr/local/etc/haproxy/
      - /home/raspi/nextcloud-docker/haproxy/certs/haproxy/:/usr/local/etc/ssl/
    ports:
      - 8080:8080
    networks:
      - proxy-tier
    depends_on:
      - app

networks:
  proxy-tier:
我的haproxy.cfg:


global
        maxconn 50
        tune.ssl.default-dh-param 2048
        log stdout format raw local0

defaults
        log global
        mode http
        timeout tunnel 1h
        timeout http-request 1h
        timeout connect 20s
        option forwardfor
        option http-server-close

frontend https
        bind *:8080 ssl crt /usr/local/etc/ssl/website.org
        http-request redirect scheme https code 301 if !{ ssl_fc }
        default_backend nextcloud
        timeout client 1h

backend nextcloud
        server app1 app:80
        timeout server 1h
nextcloud日志:

{"reqId":"GoyJSJ8Jl1xAUf9xARf6","level":2,"time":"2020-09-11T23:41:54+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
{"reqId":"A4n1pk3sU8Bsh0pkMjfB","level":2,"time":"2020-09-11T23:43:27+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo3 (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
如您所见,仅从haproxy容器获取ip地址。我已经补充了 
选项将
转发到haproxy.cfg并添加

  'trusted_proxies' => array('172.29.0.3'),
  'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
重新启动,但没有任何效果。我需要这个让fail2ban工作。
我缺少什么?

我必须使代理层网络保持静态,以便我的网络看起来像这样:

networks:
  proxy-tier:
    ipam:
      config:
        - subnet: 174.20.0.0/24
而应用程序和haproxy容器我必须放上:

    networks:
      proxy-tier:
        ipv4_address: 174.20.0.x
现在添加haproxy容器ip地址:

environment:
  - TRUSTED_PROXIES=174.20.0.x
现在它工作了

您是否已验证
haproxy
是否设置了正确的
x-forwarded-for
标题(例如,通过某种详细记录,或
tcpdump
或其他方式)?您确定
172.29.0.3
是正确的地址吗?每次打开compose堆栈时,haproxy容器可能会有不同的ip地址。好的,现在我做了一个tcpdump,如果我做了
tcpdump-i any-s 0-a | grep x-forwarded-for
我会得到客户端ip地址。所以问题可能在nextcloud容器中……除非您的
受信任的\u代理的值有问题。您是对的。这就是问题所在!现在它起作用了。