fix: use nginx realip module (#2977)

* fix: use nginx realip module * use Docker default address pools
getsentry · May 6, 2024 · 23fa29d · 23fa29d
1 parent 9e36d2f
commit 23fa29d
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -43,11 +43,24 @@ http {
  proxy_next_upstream error timeout invalid_header http_502 http_503 non_idempotent;
  proxy_next_upstream_tries 2;
 
+ # Docker default address pools
+ # https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/ipamutils/utils.go#L10-L22
+ set_real_ip_from 172.17.0.0/16;
+ set_real_ip_from 172.18.0.0/16;
+ set_real_ip_from 172.19.0.0/16;
+ set_real_ip_from 172.20.0.0/14;
+ set_real_ip_from 172.24.0.0/14;
+ set_real_ip_from 172.28.0.0/14;
+ set_real_ip_from 192.168.0.0/16;
+ set_real_ip_from 10.0.0.0/8;
+ real_ip_header X-Forwarded-For;
+ real_ip_recursive on;
+
  # Remove the Connection header if the client sends it,
  # it could be "close" to close a keepalive connection
  proxy_set_header Connection '';
  proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Request-Id $request_id;
  proxy_read_timeout 30s;