I also want to use the PROXY protocol over any connection established to my Discourse server. The PROXY protocol informs the other end (i.e. Discourse server) about the addresses of the incoming connection, so that it can know the client’s address or the public address it accessed to. Without this change, Nginx will not know the client’s address and all logs will contain the address of your reverse-proxy server instead. The following changes do the trick:
root@talk3:/var/discourse# git diff
diff --git a/templates/web.template.yml b/templates/web.template.yml
index a60e6ef..55cb5f2 100644
--- a/templates/web.template.yml
+++ b/templates/web.template.yml
@@ -116,6 +116,19 @@ run:
to: daemon off;
- replace:
+ filename: /etc/nginx/nginx.conf
+ from: /# server_tokens off;/
+ to: |
+ server_tokens off;
+ real_ip_header proxy_protocol;
+ set_real_ip_from 192.168.1.19; # address of proxy server
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /listen 80;$/
+ to: "listen 80 proxy_protocol;"
+
+ - replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /upstream[^\}]+\}/m
to: "upstream discourse {
And instruct HAProxy to enforce use of the PROXY protocol to this server:
- server server-1 192.168.1.27:80 check
+ server server-1 192.168.1.27:80 check send-proxy
Finally do ./launcher rebuild app and verify it now logs the client addresses:
tail -F /var/discourse/shared/standalone/log/var-log/nginx/access.log