All IP's come from docker IP

docker

#1

I’m unsure whether this is a actual issue with Discourse but I recently updated docker to version 1.5.0 build a8a31ef and ever since then all requests to nginx come from the internal docker IP (172.17.42.1) instead of real IP’s.

eg:

172.17.42.1 - - [05/Mar/2015:00:38:54 +0000] "POST /message-bus/redacted/poll?dlp=t HTTP/1.1" 200 22 "https://configdroid.com/admin/site_settings/category/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0"
172.17.42.1 - - [05/Mar/2015:00:39:54 +0000] "POST /message-bus/redacted/poll?dlp=t HTTP/1.1" 200 22 "https://configdroid.com/admin/site_settings/category/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0"

And if we look at the actual host and the docker interface it is:

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1785399 (1.7 MB)  TX bytes:655050 (655.0 KB)

I have tried rebooting the whole host and that isn’t helping, I’ve also tried rebuilding the whole docker instance, still no luck.

My docker opts are DOCKER_OPTS="-H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock --dns 8.8.8.8 --dns 8.8.4.4" although I’m doubtful they’re related.

There is no forward proxy sitting in front of the install, you hit the box directly. This only broke after the upgrade so I guess I’m missing a unconfigured docker conf. Any ideas?


(Kane York) #2

There must be something screwed up with the X-Forwarded-For trust lists.

Is that log from nginx or from Rails?

(Also, the message bus client IDs aren’t secret, they’re temporal random uuids just to distinguish one tab from another)


#3

I just thought I’d be safe with the message bus ID’s :smiley:

As for the X-Forwarded-For trust lists, I’m adding some for CloudFlare, could that be breaking it?

run:
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /^add_header Strict-Transport-Security 'max-age=31536000';$/
     to: |
       add_header Strict-Transport-Security 'max-age=31536000';

       # Cloudflare
       set_real_ip_from   199.27.128.0/21;
       set_real_ip_from   173.245.48.0/20;
       set_real_ip_from   103.21.244.0/22;
       set_real_ip_from   103.22.200.0/22;
       set_real_ip_from   103.31.4.0/22;
       set_real_ip_from   141.101.64.0/18;
       set_real_ip_from   108.162.192.0/18;
       set_real_ip_from   190.93.240.0/20;
       set_real_ip_from   188.114.96.0/20;
       set_real_ip_from   197.234.240.0/22;
       set_real_ip_from   198.41.128.0/17;
       set_real_ip_from   162.158.0.0/15;
       set_real_ip_from   104.16.0.0/12;
       set_real_ip_from   2400:cb00::/32;
       set_real_ip_from   2606:4700::/32;
       set_real_ip_from   2803:f800::/32;
       set_real_ip_from   2405:b500::/32;
       set_real_ip_from   2405:8100::/32;
       real_ip_header     CF-Connecting-IP;

Weird thing is that its never caused a issue before. That log is from Nginx access.log


(Kane York) #4

Okay, new question: what’s the “last seen IP” for your users in Discourse? If it’s just nginx with the perspective problem, you can turn off the nginx ratelimits and be “fine”.


#5

Last IP address is localhost (127.0.0.1)


#6

So downgrading Docker to version 1.4.0 from 1.5.0 fixed this issue. I don’t know whats causing it in 1.5.0 but it clearly isn’t happy with me!