Nginx behind Traefik Docker Swarm mode real ip
This issue was discussed on github #614.
When the upstream service receives requests forwarded from Traefik, the
X-Forwarded-For
header contains an IP address from the overlay network, not the actual client address.
To overcome this, you can use the new way of declaring service ports in docker-compose >=3.2 (LONG SYNTAX).
Then you ensure that traefik is attached to host network and will send the right X-Forwarded-For
header (see below mode: host
for the 80 port):
version: "3.2"services: traefik: ... ports: - "8080:8080" - target: 80 published: 80 protocol: tcp mode: host - "443:443" ...
Finally, you have to change the nginx log_format in the http {} section
. That can be done through volume binding of a nginx.conf
configuration file:
nginx: .. volumes: - /data/nginx/nginx.conf:/etc/nginx/nginx.conf
you'd have nginx.conf
with this:
http { ... log_format main '$http_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent"' ;
Tested on an AWS ec2, the traefik_nginx
service (I called my stack traefik
) logs like this:
$ docker service logs -f traefik_nginx...traefik_nginx.1.qpxyjheql5uk@xxx | 82.253.xxx.xxx - - [20/Jun/2017:08:46:51 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.104 Safari/537.36"