I have Docker Swarm stack with nginx as reverse proxy set up on OVH vps. I was trying to make use of allow/deny directives in location, but if I set deny all; it wouldn't work even for the ip's added with allow directive. After looking at access logs I found out, that all requests allegedly come from IP 10.0.0.2. Now I tried to get the actual IP first to at least be shown in logs, but with no luck.
There is my nginx.conf:
events{}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
error_log /dev/stdout info;
log_format json_combined escape=json
'{'
'"time":"$time_local",'
'"httpRequest":{'
'"requestMethod":"$request_method",'
'"requestUrl":"$scheme://$host$request_uri",'
'"requestSize":$request_length,'
'"status":"$status",'
'"responseSize":$bytes_sent,'
'"userAgent":"$http_user_agent",'
'"remoteIp":"$remote_addr",'
'"serverIp":"$server_addr",'
'"referer":"$http_referer",'
'"latency":"${request_time}s",'
'"protocol":"$server_protocol"'
'}'
'}';
resolver 127.0.0.11 valid=30s;
include /etc/nginx/mime.types;
include /etc/nginx/sites-enabled/*.*;
}
proxy.conf:
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-NginX-Proxy true;
proxy_cache_bypass $http_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 20d;
proxy_buffering off;
proxy_request_buffering off;
proxy_intercept_errors on;
http2_push_preload on;
and my location:
location /api/ {
allow XXX.XX.XX.X;
deny all;
include /etc/nginx/proxy-options/proxy.conf;
set $ocelot ocelot-service;
proxy_pass http://$ocelot$uri$is_args$args;
proxy_ssl_session_reuse off;
proxy_redirect off;
client_max_body_size 5M;
}
What can I do so nginx logs actual IP of requester and if it's possible, to use the IP to compare with allow directive?