如何解决使用haproxy docker访问nextcloud docker内部的客户端ip
我有一个正在运行的docker容器,我想在nextcloud docker日志上查看客户端的真实IP地址。但是目前我只能从haproxy容器中看到IP地址,我已经添加了option forwardfor
,但仍然无法正常工作。
我的docker-compose:
version: '3'
services:
db:
image: linuxserver/mariadb
restart: always
environment:
- MysqL_ROOT_PASSWORD=
- PUID=100
- PGID=100
- MysqL_DATABASE=nextcloud
- MysqL_USER=nextcloud
- MysqL_PASSWORD=
volumes:
- /home/raspi/nextcloud-docker/volumen/mariadb/:/config
app:
image: nextcloud:apache
restart: always
volumes:
- /home/raspi/nextcloud-docker/volumen/nextcloud/:/var/www/html
environment:
- VIRTUAL_HOST=
- LETSENCRYPT_HOST=
- LETSENCRYPT_EMAIL=
- MysqL_HOST=db
- OVERWRITEPROTOCOL=https
env_file:
- db.env
depends_on:
- db
networks:
- proxy-tier
- default
haproxy:
restart: always
image: haproxy:2.1.7
volumes:
- /home/raspi/nextcloud-docker/haproxy/config:/usr/local/etc/haproxy/
- /home/raspi/nextcloud-docker/haproxy/certs/haproxy/:/usr/local/etc/ssl/
ports:
- 8080:8080
networks:
- proxy-tier
depends_on:
- app
networks:
proxy-tier:
我的haproxy.cfg:
global
maxconn 50
tune.ssl.default-dh-param 2048
log stdout format raw local0
defaults
log global
mode http
timeout tunnel 1h
timeout http-request 1h
timeout connect 20s
option forwardfor
option http-server-close
frontend https
bind *:8080 ssl crt /usr/local/etc/ssl/website.org
http-request redirect scheme https code 301 if !{ ssl_fc }
default_backend nextcloud
timeout client 1h
backend nextcloud
server app1 app:80
timeout server 1h
Nextcloud日志:
{"reqId":"GoyJSJ8Jl1xAUf9xARf6","level":2,"time":"2020-09-11T23:41:54+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login Failed: malo (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
{"reqId":"A4n1pk3sU8Bsh0pkMjfB","time":"2020-09-11T23:43:27+00:00","message":"Login Failed: malo3 (Remote IP: 172.29.0.3)","version":"19.0.0.12"}
如您所见,仅从haproxy容器获取ip地址。我已经添加了
option forwardfor
到haproxy.cfg并添加了
'trusted_proxies' => array('172.29.0.3'),'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
,然后重新启动,但没有任何效果。我需要这样做才能使fail2ban正常工作。 我想念什么?
解决方法
我必须将代理层网络设为静态,因此我的网络如下所示:
networks:
proxy-tier:
ipam:
config:
- subnet: 174.20.0.0/24
以及应用程序和haproxy容器,我必须输入以下内容:
networks:
proxy-tier:
ipv4_address: 174.20.0.x
,然后添加haproxy容器ip地址:
environment:
- TRUSTED_PROXIES=174.20.0.x
现在可以了!
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。