Announcement

Collapse
No announcement yet.

NGINX + APACHE real IP for reverse proxy

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • NGINX + APACHE real IP for reverse proxy

    My EspoCRM instance runs in a Docker container behind an Nginx reverse proxy. Everything has been going well for around 1.5 years, including expansion(s). Thanks to the developers!

    However, what bothers me in this setup is that I only see the IP of the Docker instance in the auth protocol, but not the real IP of the user. The same applies to the Apache log file.

    I took a closer look at it today. The following configuration is set on the Nginx Reverse Proxy side:

    Code:
    set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    proxy_set_header host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    Still, Apache / EspoCRM only shows the internal Docker IP, not the real client IP.

    This can be remedied by switching on the Apache module remoteip inside the Docker container:
    Code:
    a2enmod remoteip
    with the appropriate configuration in the /etc/apache2/conf-available/remoteip.conf file:
    Code:
    RemoteIPHeader X-Forwarded-For
    Apache must then be restarted:
    Code:
    apache2ctl restart
    From this point on, the correct IP is "passed through" to Apache / EscpoCRM. Of course, this configuration is not permanent because it is a Docker instance.

    Is there a possibility that you will include this in the Docker development and that the remoteip module will be switched on, for example, via an environment variable (docker-compose)?

    Or is there an easier way that I've overlooked?

    Best regards
    Martin​

  • #2
    Hi Martin,

    I do not run Espo in docker but with other applications I run the following in nginx.

    Code:
    # Proxy headers
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # Websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    # Do not kill websockets after 60s
    ​proxy_read_timeout 86400;
    And if you are behind a Cloudflare proxy I use the code below

    Code:
    # Cloudflare real-ip fix
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;
    
    real_ip_header X-Forwarded-For;​

    Comment


    • esforim
      esforim commented
      Editing a comment
      Hopefully those are fake IP right? You should filter them if real.

  • #3
    In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.

    Comment


    • #4
      Hi novastream,

      Originally posted by novastream View Post
      I do not run Espo in docker but with other applications I run the following in nginx.
      [...]
      Thanks for your answer. But you describe a different use case. The problem isn't the nginx, it's the apache in the docker container.

      And it looks like yuri (or the team) has a fix built into 7.5.​

      esforim:
      the posted IPs from novatream are official IP ranges from Cloudflare, as you can see here: https://www.cloudflare.com/de-de/ips/

      Best regards,
      Martin

      Comment


      • #5
        Originally posted by yuri View Post
        In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.
        yuri: That's great, yuri. Thanks!

        Comment


        • #6
          Originally posted by yuri View Post
          In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.
          yuri: Is it possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.It is possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.

          Comment


          • wusy8lqf
            wusy8lqf commented
            Editing a comment
            Hi mfr, I'm in the same situation (docker + NGINXPM). I've enabled websockets but am still seeing two errors. Did you manage to get your environment fixed?

          • mfr
            mfr commented
            Editing a comment
            Yes, i did it last week.

            You have to add
            Code:
            ESPOCRM_IPADDRESSSERVERPARAM: "HTTP_X_FORWARDED_FOR"
            to your environment.

            Or by editing the file config-internal.php manualy with
            Code:
            'ipAddressServerParam' => 'HTTP_X_FORWARDED_FOR',

        • #7
          Awesome - thankyou matey! my whole docker system has gone to a crawl with socket errors hitting it

          Being as stupid as I am (I'm not a proud person), the "HTTP_X_FORWARDED_FOR" if mine is "crm.domain.com" is that what I put in?

          Originally posted by mfr View Post

          yuri: Is it possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.It is possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.

          Comment

          Working...
          X