$remote_address from within a docker image of nginx is 10.255.0.2 instead of the actual source IP


#1

We expect in the docker image of an nginx we’re running - that $remote_addr will be the source IP of a machine that is surfing to this nginx.
Instead, the source IP seems to be an internal IP address related to docker swarm.
We see that 10.255.0.2 when we run docker network inspect ${INGRESS_NETWORK_HASH}


#2

Depending on your setup, there are different ways to approach this.

If there’s a load balancer (or a reverse proxy) in front of this service, you can add standard HTTP headers to pass client info, like X-Real-IP and X-Forwarded-For

If it’s an option, you can use host network mode for your containers.


#3

Sometimes it’s an option to add a load balancer in front of the setup - sometimes it complicates the setup significantly.

We’ve tried to add the host network mode on the nginx container - and it didn’t help:

services:
  web:
    image: registry.replicated.com/___
    restart: always
    ports:
      - "443:443"
      - "80:80"
    network_mode: host
    ...

#4

@dmitriy - did we add the network_mode in the right place? Any update about this?


#5

I would double check that the container is actually running with that mode. This option is ignored in some versions. There is more info here.


#6

Yep, it’s ignored in docker-compose version 3, and to my understanding we’re using version 3.3
I also see that network mapping is incompatible with network_mode: host.
I’ll try to remove the network mapping.

@Ohad_Maislish ^^


#7

When we used the long systax to define the ports with network_mode host it did work.
Thanks!!

For reference - this is how our ports are defined now:

services:
  web:
    image: registry.replicated.com/___
    restart: always
    ports:
      - target: 443
        published: 443
        mode: host
        protocol: tcp
      - target: 80
        published: 80
        mode: host
        protocol: tcp