From 23fa29d38b5d1160249b9f8011b95000b98ee8fc Mon Sep 17 00:00:00 2001
From: Alexander Tarasov <alex.tarasov@sentry.io>
Date: Mon, 6 May 2024 13:55:18 +0200
Subject: [PATCH] fix: use nginx realip module (#2977)

* fix: use nginx realip module

* use Docker default address pools
---
 nginx/nginx.conf | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 3f1e6d847f..febbadb59b 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -43,11 +43,24 @@ http {
 	proxy_next_upstream error timeout invalid_header http_502 http_503 non_idempotent;
 	proxy_next_upstream_tries 2;
 
+	# Docker default address pools
+	# https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/ipamutils/utils.go#L10-L22
+	set_real_ip_from 172.17.0.0/16;
+	set_real_ip_from 172.18.0.0/16;
+	set_real_ip_from 172.19.0.0/16;
+	set_real_ip_from 172.20.0.0/14;
+	set_real_ip_from 172.24.0.0/14;
+	set_real_ip_from 172.28.0.0/14;
+	set_real_ip_from 192.168.0.0/16;
+	set_real_ip_from 10.0.0.0/8;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
+
 	# Remove the Connection header if the client sends it,
 	# it could be "close" to close a keepalive connection
 	proxy_set_header Connection '';
 	proxy_set_header Host $host;
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-For $remote_addr;
 	proxy_set_header X-Forwarded-Proto $scheme;
 	proxy_set_header X-Request-Id $request_id;
 	proxy_read_timeout 30s;