yo @Falco, is the real_ip (provided by cf as CF-Connecting-IP header) coming through for you in nginx logs? it’s not for me. i just see cloudflared’s ip.
i think one or both of these things need to be done (will follow up after investigation):
- add a
set_real_ip_fromconfig line to nginx forcloudflared’s ip. if that turns out to be the problem, then i would guess none of the otherset_real_ip_fromlines (provided bytemplates/cloudflare.template.yml) are needed for argotunnel users. and in this case, maybe a separate argotunnel template should be added to the docker repo that pulls yourcloudflaredip from an env var or something in your mainapp.yml. -
fix theconfirmed unneededlog_format. i think this is probably not the issue, though.
edit:
here’s what i’m doing to make it work:
don’t use the cloudflare template. there’s no point.
instead, merge this into your app.yml:
hooks:
after_web_config:
- file:
path: /etc/nginx/conf.d/cloudflare_tunnel_real_ip.conf
contents: |
# restore original visitor IPs (ngx_http_realip_module)
set_real_ip_from 10.100.20.200/32; # your cloudflared/argotunnel IP range
real_ip_header CF-Connecting-IP;
that automatically ends up in the nginx http context btw which is appropriate.
PS: imo, for cleanliness, the cloudflare template should also generate its nginx config into a separate file instead of using sed -i to add it to /etc/nginx/conf.d/discourse.conf.