Reverse proxy IP address is 127.0.0.1

[ghost]

The IP address in the logs is 127.0.0.1 (as shown using Login Audit plugin) when the docker container is used with nginx in reverse proxy mode. For example in production.log:

Started GET "/redmine/news" for 127.0.0.1 at 2018-06-25 20:41:16 +0000

I use the following nginx location configuration which works great with GitLab when using the proper settings in gitlab.rb, namely: real_ip_trusted_addresses, real_ip_header and real_ip_recursive but that's a GitLab specific configuration to handle an external reverse proxy.

My question is: how to achieve the same as with GitLab but with your redmine docker container? In other words, what config in nginx and redmine shall I use to get the client's real IP in redmine's logs?

proxy_read_timeout     3600;
proxy_connect_timeout  300;
proxy_redirect         off;
proxy_buffering off;

proxy_set_header  Host               $http_host;
proxy_set_header  X-Real-IP          $remote_addr;
proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto  $scheme;
proxy_set_header  X-Frame-Options    SAMEORIGIN;

# Fix for: Failed to load resource: net::ERR_INCOMPLETE_CHUNKED_ENCODING
chunked_transfer_encoding  on;

I've also tried: proxy_set_header Client-IP $remote_addr; and even CLIENT_IP as suggested elsewhere, but without success.

I believe this nginx config block to be solid, but it seems that redmine needs some magic to start using the right http fields provided by nginx (eg X-Real-IP or Client-IP).

The docker instance is created as follows:

docker run \
       --detach \
       --restart=always \
       --name redmine \
       --hostname redmine \
       -p 3000:80 \
       -e DB_ADAPTER=mysql2 \
       -e DB_HOST=XXXX \
       -e DB_USER=XXXX \
       -e DB_NAME=XXXX \
       -e DB_PASS=XXXX \
       -e REDMINE_RELATIVE_URL_ROOT='/redmine' \
       -e SMTP_USER=XXXX \
       -e SMTP_PASS=XXXX \
       -v /dev/rtc:/dev/rtc:ro \
       -v /mnt/XXXX/docker/redmine:/home/redmine/data \
       --link mysql \
       sameersbn/redmine:latest

Thanks!

[jcormier]

Do you get the correct ip addresses in the nginx/redmine_access.log file?

[ghost]

Yes, I don't browse redmine from localhost :)

nginx's access.log file:

192.168.1.254 - - [26/Jun/2018:07:48:53 -0400] "GET /redmine/ HTTP/1.1" 302 114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36"

and the matching entry in redmine's production.log file:

Started GET "/redmine/" for 127.0.0.1 at 2018-06-26 07:48:53 +0000

[jcormier]

Are your nginx changes to the nginx config inside the container?

[ghost]

The only nginx I'm changing is on the host, outside the container.
I didn't know that there's a nginx inside the container.

[jcormier]

Ahh okay, I figured that might be whats going on.

There is an option to disable the internal nginx server though I'm not sure if it works. #148

Alternatively, if you want to update the internal nginx config so it properly forwards the real ip and create a pull request. https://github.com/sameersbn/docker-redmine/tree/master/assets/runtime/config/nginx