Added the ability to see Real IPs if Nginx is running under another proxy (such as Traefik).

2020-10-06 10:51:10 +02:00 · 2020-10-06 10:51:10 +02:00 · fb1a0182e2
commit fb1a0182e2
parent 2e0a8307d1
4 changed files with 19 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -175,6 +175,11 @@ Default value :
 Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.  
 For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.

+`PROXY_REAL_IP`
+Values : *yes* | *no*
+Default value : *no*
+Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly.
+
 ## HTTPS
 `AUTO_LETS_ENCRYPT`  
 Values : *yes* | *no*  
--- a/confs/nginx.conf
+++ b/confs/nginx.conf
@ -62,7 +62,8 @@ http {
 	server_tokens %SERVER_TOKENS%;

 	# write logs to local syslogd
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
+        %PROXY_REAL_IP%
+        access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;	
 	error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;

 	# lua path
--- a/confs/proxy-real-ip.conf
+++ b/confs/proxy-real-ip.conf
@ -0,0 +1,3 @@
+log_format proxy '$http_x_real_ip - $remote_user [$time_local]  '
+                          '"$request" $status $body_bytes_sent '
+                          '"$http_referer" "$http_user_agent"';
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -131,6 +131,7 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
+PROXY_REAL_IP="${PROXY_REAL_IP-no}"

 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@ -354,6 +355,14 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
 fi
+if [ "$PROXY_REAL_IP" = "yes" ] ; then
+        replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
+        replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy"
+else
+        replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
+        replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
+fi
+

 ERRORS=""
 for var in $(env) ; do