【发布时间】:2020-09-12 00:27:49
【问题描述】:
我有一个 docker 容器正在运行,我想在 nextcloud docker 日志上查看来自客户端的真实 IP 地址。但是目前我只能从 haproxy 容器中看到 ip 地址,我已经添加了option forwardfor,但它仍然不起作用。
我的 docker-compose:
version: '3'
services:
db:
image: linuxserver/mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=
- PUID=100
- PGID=100
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=
volumes:
- /home/raspi/nextcloud-docker/volumen/mariadb/:/config
app:
image: nextcloud:apache
restart: always
volumes:
- /home/raspi/nextcloud-docker/volumen/nextcloud/:/var/www/html
environment:
- VIRTUAL_HOST=
- LETSENCRYPT_HOST=
- LETSENCRYPT_EMAIL=
- MYSQL_HOST=db
- OVERWRITEPROTOCOL=https
env_file:
- db.env
depends_on:
- db
networks:
- proxy-tier
- default
haproxy:
restart: always
image: haproxy:2.1.7
volumes:
- /home/raspi/nextcloud-docker/haproxy/config:/usr/local/etc/haproxy/
- /home/raspi/nextcloud-docker/haproxy/certs/haproxy/:/usr/local/etc/ssl/
ports:
- 8080:8080
networks:
- proxy-tier
depends_on:
- app
networks:
proxy-tier:
我的 haproxy.cfg:
global
maxconn 50
tune.ssl.default-dh-param 2048
log stdout format raw local0
defaults
log global
mode http
timeout tunnel 1h
timeout http-request 1h
timeout connect 20s
option forwardfor
option http-server-close
frontend https
bind *:8080 ssl crt /usr/local/etc/ssl/website.org
http-request redirect scheme https code 301 if !{ ssl_fc }
default_backend nextcloud
timeout client 1h
backend nextcloud
server app1 app:80
timeout server 1h
nextcloud 日志:
{"reqId":"GoyJSJ8Jl1xAUf9xARf6","level":2,"time":"2020-09-11T23:41:54+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
{"reqId":"A4n1pk3sU8Bsh0pkMjfB","level":2,"time":"2020-09-11T23:43:27+00:00","remoteAddr":"172.29.0.3","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Login failed: malo3 (Remote IP: 172.29.0.3)","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36","version":"19.0.0.12"}
如您所见,仅从 haproxy 容器中获取 IP 地址。我已经添加了
option forwardfor 到 haproxy.cfg 并添加了
'trusted_proxies' => array('172.29.0.3'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
然后重新启动,但没有任何效果。我需要这个来使 fail2ban 工作。 我错过了什么?
【问题讨论】:
-
您是否验证过
haproxy设置了正确的x-forwarded-for标头(例如,通过某种详细日志记录或tcpdump或其他方式)?您确定172.29.0.3是正确的地址吗?每次打开 compose 堆栈时,haproxy 容器可能有不同的 ip 地址。 -
好的,现在我做了一个 tcpdump,如果我做了
tcpdump -i any -s 0 -A | grep x-forwarded-for,我得到了客户端 IP 地址。所以问题可能出在 nextcloud 容器内。 -
...除非您对
trusted_proxies的值有问题。 -
你是对的。这就是问题所在!现在可以了。
标签: docker ip-address haproxy nextcloud fail2ban