Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(nextcloud): Get real client IP from proxies and show X-Real-IP in Nextcloud logs #1260

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat(nextcloud): Get real client IP from proxies and show X-Real-IP in Nextcloud logs #1260

wants to merge 5 commits into from
+112 −2

Conversation

JulesTriomphe
Copy link
Contributor

This PR enables getting the clients' real IP addresses in Nextcloud when Nginx is itself behind a proxy, e.g. Cloudflare.

@JulesTriomphe JulesTriomphe changed the title feat(nextcloud): Get real client IP from proxies feat(nextcloud): Get real client IP from proxies and show X-Real-IP in Nextcloud logs Jan 2, 2025
@stavros-k
Copy link
Contributor

I'm wondering if we should just add an include directive in the nginx config and let users provide their own configurations.
It will become cumbersome to maintain/update the list of IPs and I imagine if this gets in,
that a lot of such customization will be requested/added afterwards, which then each will need it's own set of options.

What do you think?

@JulesTriomphe
Copy link
Contributor Author

That would be ideal. I would leave default Cloudflare configuration however since it's used by many users.

To reduce the maintenance burden, we can generate the Cloudflare IPs on pod startup.

So we could do something like this:

  • Have an option in questions.yaml to include custom configuration. This would make visible an option to mount an extra volume at /etc/nginx/includes/
  • Add an include statement below the location / block, in the server.http section like include /etc/nginx/includes/*.conf if the custom configuration option is selected
  • Have an option in questions.yaml to set real IPs from Cloudflare, which would activate (i.e. mount) the script in /docker-entrypoint.d/. This script would generate the list of Cloudflare IPs with set_real_ip_from directives in a /etc/nginx/includes/10-set-real-ip-from-cloudflare.conf file and would end with real_ip_header CF-Connecting-IP following the docs
  • Keep the apache2 config change as this helps in any case

The 10-... prefix will allow users to create configs that will be evaluated before the cloudflare one, since they are evaluated alphabetically.

What do you think ?

@stavros-k
Copy link
Contributor

I'm not sure I want having such scripts (eg for updating CF ips).

I think nginx will ingore includes if there are not files matched. So we can add it unconditionally, then present a storage option in the UI for nginx confs.

As for the apache log formats, what is the default/current format?
What happens if x-real-ip is empty?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JulesTriomphe @stavros-k