How do I make the top 30 ips report work with socketed container?


(Fábio Machado De Oliveira) #1

My install is a socketed container with a nginx proxy, my top 30 ip report shows just ‘unix’ as the single IP using the site. What I did wrong?


(Kane York) #2

Do you have $proxy_add_x_forwarded_for set up correctly?


(Fábio Machado De Oliveira) #3

This is my nginx proxy config:

server {
        listen 80; listen [::]:80;
        # change this
        server_name www.noiapapps.com;

        location / {
                proxy_pass http://unix:/var/discourse/shared/noiap/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

(Kane York) #4

Okay, so it’s there. Are there any other reverse proxies in front of this?


(Fábio Machado De Oliveira) #5

Not at the time my last reply, the rest of my config is the standard of Ubuntu 14.04.2 LTS.
When my container was direclty listenting at 80 it was showing the correct IPs. It runs in an amazon ec2 server.


(Fábio Machado De Oliveira) #6

@riking I think it will work now. The IPs were in the container’s Nginx log, I entered the container and edited /etc/nginx/conf.d/discourse.conf, changed the log_format line to:

log_format log_discourse '[$time_local] $http_x_real_ip "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$sent_http_x_discourse_username"'; 

In my external nginx, I have this line:

proxy_set_header X-Real-IP $remote_addr;

I’ll have to wait for Discourse’s daily log analysis, but the internal nginx log is already showing the correct IPs, it should work.


(Kane York) #7

You should be using the proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; directive, no?


(Fábio Machado De Oliveira) #8

I have both them, I don’t know how to use log_format with X-Forwarded-For


(Fábio Machado De Oliveira) #9

I found a way that is more correct for doing this (because it will work not only for logging, but for everything):

I edited the file /etc/nginx/conf.d/discourse.conf (inside the container, using ./launcher enter app)

server {
  set_real_ip_from 0.0.0.0/0;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;

There is probably a way for doing it with the .yml file.

I think it is needed whenever Discourse is used behind a Nginx reverse proxy


#10

I wouldn’t do it that way personally, as you’re effectively trusting everything ever I think. Just trust everything from unix sockets using something like this in a template:

run:
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /gzip on;/m
     to: |
       gzip on;
       set_real_ip_from unix:;

And adding it into your container config


(Kane York) #11

You should submit a PR to get that added to the socketed.template.yml file.


#12

All done!

https://github.com/discourse/discourse_docker/pull/199