See Remote or Public IP in the Docker Container

csaeum · April 30, 2024, 11:39am

remote or public IP in the docker container

So I've looked at a few posts about it and tested it.

As you can clearly see in the heading, I want to access (view) the public IP of my visitors in order to react to them.

Why is that, I have a website (CMS) system and it is currently very under siege by robots. The site is temporarily unavailable.

But in the logs in Docker or with Portainer I only see the IP of Traefik and not that of the "visitors"

What have I already tried:
I added this to my docker compose from Traefik:

- "--entryPoints.web.forwardedHeaders.insecure=true" - "--entryPoints.websecure.forwardedHeaders.insecure=true"
My complete docker-compose looks like this:

volumes:
  letsencrypt-data:
    driver: local-persist
    driver_opts:
      mountpoint: ${CONTAINERVOLUMES}/letsencrypt

services:
  traefik:
    image: "traefik:v2.11"
    container_name: ${COMPOSE_PROJECT_NAME}
    command:
      - "--api=true"
      - "--api.dashboard=true"
      - "--log.level=INFO"
      - "--accesslog=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.web.forwardedHeaders.insecure=true"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=${LETSENCRYPT_EMAIL}"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/${COMPOSE_PROJECT_NAME}.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - letsencrypt-data:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - "${PROXY_NETWORK}"
      - "default"
    labels:
      - traefik.enable=true
      # Routers
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
      # HTTPS
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=${HOSTRULE}
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=websecure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=api@internal
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=myresolver
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}_Auth
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_Auth.basicauth.removeheader=true
      # Passwort beachten - $ muss mit einen 2ten $ versehen werden
      # Password generieren: echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
      - traefik.http.middlewares.${COMPOSE_PROJECT_NAME}_Auth.basicauth.users=schicker-admin:$$apr1$$JVLXrtrU$$bSveDyD2xyuacOWe999BJ1
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      # TCP
      - traefik.tcp.routers.${COMPOSE_PROJECT_NAME}.entrypoints=mssql
      - traefik.tcp.routers.${COMPOSE_PROJECT_NAME}.service=api@internal
      - traefik.tcp.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=myresolver
      - traefik.tcp.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}_Auth
    restart: ${RESTART}

networks:
  traefik_proxy:
    external:
      name: ${PROXY_NETWORK}
  default:
    driver: bridge

Where is my mistake? Or do I have to add something else to the CMS container?

csaeum · April 30, 2024, 12:20pm

Okay, apparently I'm on the right track.

In my test system I now have xxx.xxx.xxx.xxx in the Shopware backend instead of 138.201.0.0.

But in the log from the Docker container it says 172.18.0.3

How do I get the XXX.xxx.xxx.xxx into the Docker container because it is the "actual IP".

bluepuma77 · April 30, 2024, 3:29pm

A TCP connection always has a source and target, the two IPs between the connection is taking place.

If you want the IP of a previous client in the chain of forwarded requests, you must use an additional protocol on top.

Options are ProxyProtocol, which needs to be enabled by sender and receiver, or you check the headers of http requests (X-Forwarded-For, X-Real-Ip).

Topic		Replies	Views
Traefik and PiHole with Docker: forward client IP Traefik v2 docker , tcp	7	5444	August 24, 2023
Serving private and public requests? Traefik v2 docker	0	557	March 16, 2020
Access Service from public URL, not only localhost Traefik v2 docker , cli	0	1599	May 4, 2020
Expose containers to public without domain name (with pure IP + port) Traefik v3 (latest) docker	7	236	July 14, 2024
Can't get DMZ client public IP address for SFTP backend Traefik v2 docker	4	1250	December 22, 2020

See Remote or Public IP in the Docker Container

Related topics