From fb1a0182e2d9fefda51652e8383331e0afe5c9c6 Mon Sep 17 00:00:00 2001
From: Alex Jarmoszuk <alex@jarmosz.uk>
Date: Tue, 6 Oct 2020 10:51:10 +0200
Subject: [PATCH] Added the ability to see Real IPs if Nginx is running under
 another proxy (such as Traefik).

---
 README.md                | 5 +++++
 confs/nginx.conf         | 3 ++-
 confs/proxy-real-ip.conf | 3 +++
 entrypoint.sh            | 9 +++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 confs/proxy-real-ip.conf

diff --git a/README.md b/README.md
index 523d9d3..14af2a2 100644
--- a/README.md
+++ b/README.md
@@ -175,6 +175,11 @@ Default value :
 Use this kind of environment variable to define custom error page depending on the HTTP error code. Replace XXX with HTTP code.  
 For example : `ERROR_404=/404.html` means the /404.html page will be displayed when 404 code is generated. The path is relative to the root web folder.
 
+`PROXY_REAL_IP`
+Values : *yes* | *no*
+Default value : *no*
+Use this kind of environment variable to define whether you're using Nginx inside another proxy, this means you will see "X-Forwarded-For" instead of regular "Remote-Addr" IPs inside your logs. Modsecurity will also then work correctly.
+
 ## HTTPS
 `AUTO_LETS_ENCRYPT`  
 Values : *yes* | *no*  
diff --git a/confs/nginx.conf b/confs/nginx.conf
index 33d033d..fcdb3ae 100644
--- a/confs/nginx.conf
+++ b/confs/nginx.conf
@@ -62,7 +62,8 @@ http {
 	server_tokens %SERVER_TOKENS%;
 
 	# write logs to local syslogd
-	access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
+        %PROXY_REAL_IP%
+        access_log syslog:server=unix:/dev/log,nohostname,facility=local0 %LOG_TYPE%;	
 	error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
 
 	# lua path
diff --git a/confs/proxy-real-ip.conf b/confs/proxy-real-ip.conf
new file mode 100644
index 0000000..bc6b799
--- /dev/null
+++ b/confs/proxy-real-ip.conf
@@ -0,0 +1,3 @@
+log_format proxy '$http_x_real_ip - $remote_user [$time_local]  '
+                          '"$request" $status $body_bytes_sent '
+                          '"$http_referer" "$http_user_agent"';
diff --git a/entrypoint.sh b/entrypoint.sh
index 967272b..3bc0c5d 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -131,6 +131,7 @@ USE_LIMIT_REQ="${USE_LIMIT_REQ-yes}"
 LIMIT_REQ_RATE="${LIMIT_REQ_RATE-20r/s}"
 LIMIT_REQ_BURST="${LIMIT_REQ_BURST-40}"
 LIMIT_REQ_CACHE="${LIMIT_REQ_CACHE-10m}"
+PROXY_REAL_IP="${PROXY_REAL_IP-no}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -354,6 +355,14 @@ if [ "$USE_MODSECURITY" = "yes" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
 fi
+if [ "$PROXY_REAL_IP" = "yes" ] ; then
+        replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" "include /etc/nginx/proxy-real-ip.conf;"
+        replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "proxy"
+else
+        replace_in_file "/etc/nginx/server.conf" "%PROXY_REAL_IP%" ""
+        replace_in_file "/etc/nginx/server.conf" "%LOG_TYPE%" "combined"
+fi
+
 
 ERRORS=""
 for var in $(env) ; do