NGINX + APACHE real IP for reverse proxy

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • KrisMarshall
    replied
    Enabling remoteip inside the image was the only thing that fixed it, so I ended up baking it into my Dockerfile so it survived rebuilds. Your env-variable idea would be super handy. Funny enough, that project also pushed me into messing with network stuff for a scraping job and I had to Buy Static Residential Proxies—Enterprise-grade proxy solutions and advanced data extraction with personalized service—and that taught me way more about headers than I expected.
    Last edited by KrisMarshall; 11-24-2025, 11:25 AM.

      Leave a comment:

    • wusy8lqf
      replied
      Awesome - thankyou matey! my whole docker system has gone to a crawl with socket errors hitting it

      Being as stupid as I am (I'm not a proud person), the "HTTP_X_FORWARDED_FOR" if mine is "crm.domain.com" is that what I put in?

      Originally posted by mfr

      yuri: Is it possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.It is possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.

        Leave a comment:

      • mfr
        commented on 's reply
        Yes, i did it last week.

        You have to add
        Code:
        ESPOCRM_IPADDRESSSERVERPARAM: "HTTP_X_FORWARDED_FOR"
        to your environment.

        Or by editing the file config-internal.php manualy with
        Code:
        'ipAddressServerParam' => 'HTTP_X_FORWARDED_FOR',
        • wusy8lqf
          commented on 's reply
          Hi mfr, I'm in the same situation (docker + NGINXPM). I've enabled websockets but am still seeing two errors. Did you manage to get your environment fixed?
          • mfr
            replied
            Originally posted by yuri
            In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.
            yuri: Is it possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.It is possible to explain how to use this feature. Because after upgrading my docker Container, my Auth-Protocol contains the local ip and not the external ip anymore.

              Leave a comment:

            • mfr
              replied
              Originally posted by yuri
              In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.
              yuri: That's great, yuri. Thanks!

                Leave a comment:

              • mfr
                replied
                Hi novastream,

                Originally posted by novastream
                I do not run Espo in docker but with other applications I run the following in nginx.
                [...]
                Thanks for your answer. But you describe a different use case. The problem isn't the nginx, it's the apache in the docker container.

                And it looks like yuri (or the team) has a fix built into 7.5.​

                esforim:
                the posted IPs from novatream are official IP ranges from Cloudflare, as you can see here: https://www.cloudflare.com/de-de/ips/

                Best regards,
                Martin

                  Leave a comment:

                • esforim
                  commented on 's reply
                  Hopefully those are fake IP right? You should filter them if real.
                  • yuri
                    replied
                    In v7.5 there will be a config parameter 'ipAddressServerParam' https://github.com/espocrm/espocrm/i...ent-1516354471.

                      Leave a comment:

                    • novastream
                      replied
                      Hi Martin,

                      I do not run Espo in docker but with other applications I run the following in nginx.

                      Code:
                      # Proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

# Do not kill websockets after 60s
​proxy_read_timeout 86400;
                      And if you are behind a Cloudflare proxy I use the code below

                      Code:
                      # Cloudflare real-ip fix
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header X-Forwarded-For;​

                        Leave a comment:

                      • mfr
                        started a topic NGINX + APACHE real IP for reverse proxy

                        NGINX + APACHE real IP for reverse proxy

                        My EspoCRM instance runs in a Docker container behind an Nginx reverse proxy. Everything has been going well for around 1.5 years, including expansion(s). Thanks to the developers!

                        However, what bothers me in this setup is that I only see the IP of the Docker instance in the auth protocol, but not the real IP of the user. The same applies to the Apache log file.

                        I took a closer look at it today. The following configuration is set on the Nginx Reverse Proxy side:

                        Code:
                        set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_set_header host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
                        Still, Apache / EspoCRM only shows the internal Docker IP, not the real client IP.

                        This can be remedied by switching on the Apache module remoteip inside the Docker container:
                        Code:
                        a2enmod remoteip
                        with the appropriate configuration in the /etc/apache2/conf-available/remoteip.conf file:
                        Code:
                        RemoteIPHeader X-Forwarded-For
                        Apache must then be restarted:
                        Code:
                        apache2ctl restart
                        From this point on, the correct IP is "passed through" to Apache / EscpoCRM. Of course, this configuration is not permanent because it is a Docker instance.

                        Is there a possibility that you will include this in the Docker development and that the remoteip module will be switched on, for example, via an environment variable (docker-compose)?

                        Or is there an easier way that I've overlooked?

                        Best regards
                        Martin​
                        Tags: None
                        Previous template Next
                        Working...