Docker unable to get client IP address #1309
Comments
|
Bump^^ Many days of searching later and there is still no fixes found. |
|
Turn of the userland proxy and enable iptables based forwarding. |
This is an option only for those using docker-desktop. We cannot turn off userland proxy in azure. I've also tried this in docker desktop and I was still receiving the docker ip address on hitting servers behind docker. |
no, add the following to {
"iptables": true,
"ip6tables": true,
"userland-proxy": false
}
That is a problem of/from azure, not docker.
I don't know what docker desktop does but with docker-ce on a Linux machine this works like a charm and should be the default. |
I will attempt this and let you know if it does fix it. But this is most definitely a problem of docker. Although more control over dockers process would be nice on azures part, When forwarding a request docker should add an |
Docker is not touching the headers or anything inside the packets. Your reverse proxy is setting those headers but I can't set them to the correct values because the userland-proxy strips the packet origin up address. The solution for that is to not use the userland-proxy ans Azure should expose this setting. |
Gotcha. I'll place a bug report over to azure if that is the case. Just to be sure I understand you. You're saying I can place daemon.json in |
This needs to be done on the host.
It is required for windows and Mac hosts but on Linux hosts it is pretty pointless and breaks things. Only disadvantage is that you need iptables. |
|
Thanks for help. For anyone else looking, Azure does apply a header called |
|
@Arcalise08 hi can you help with this problem? My problem seems to be the same as yours, the difference is that I use my own server to deploy, I've followed everything, I've added the daemon.json configuration, but X-Forwarded-For always returns null |
Theres no real fix for this that i know of. it's due to Docker's network isolation feature. Docker containers run in separate network namespaces, each with its own internal IP address, creating a virtual network within the host. The only way around it is to use host mode on the docker network settings or set up a reverse proxy in front of the docker container which forwards the requests to the docker container, appending the real client ip as a header like mentioned above. I was wrong to think that docker should add the header itself. Although i think it would be nice if it did. |
There seems to be an issue with how docker proxies request to containers. I'm not exactly sure what is going on. But you can very easily test this by creating an ASP.NET instance.(just a basic one and select use docker in Visual Studio). Give it a port number and fire a request to it. The remote IP address comes back as a docker IP address. Looking at the headers, I dont see an X-FORWARDED-FOR header being used. This makes it appear that all request are coming from the same place.
This issue can be resolved by selecting host networking mode. however that isnt a real fix and doesnt work if you plan to stage it on a cloud service like azure.
The only real workaround I can see is having requests come in outside of docker and have them place that header for docker which isnt ideal. (I've also seen some talks that cloudflare\digital ocean will add this header for you)
This is critical for some of us who want to use geolocation or ip address based security.
The text was updated successfully, but these errors were encountered: