I just found out the long and hard way about Cloudflare’s
real_ip_header CF-Connecting-IP; setting in nginx…
I have a fairly complicated setup with nginx proxy manager being in it’s own docker image (I’m using SWAG from linuxserver.io, which is awesome BTW), so the connection path looks like this:
User -> Cloudflare -> Server(1st docker container: Nginx -> 2nd docker container: Discourse)
I have both docker containers in the same docker network, so they communicate; that’s fine.
I had a real issue trying to get the user’s origin IP in the Discourse logs. I read up all the nice threads here and added the cloudflare template to my app.yml file, but it still didn’t work…
After pulling my hair out, I realized that the issue was not the Cloudflare template per se, but the fact that the Discourse container was getting the IP address from the NGINX container and I had to add the docker network IP CIDR to the set_real_ip_from like this:
In order to help future hosters, would it be possible to add this line to the cloudflare template? The IP range 172.18.0.0/16 is anyway private, so even if you don’t have NPM in a docker container, it will not hurt to add this range.
My suggestion would be to change this line in cloudflare.template.yml:
sed -i "/sendfile on;/a $CONTENTS\nreal_ip_header CF-Connecting-IP;" /etc/nginx/conf.d/discourse.conf
to this line:
sed -i "/sendfile on;/a set_real_ip_from 172.18.0.0/16;\n$CONTENTS\nreal_ip_header CF-Connecting-IP;" /etc/nginx/conf.d/discourse.conf
What do you think?