From cbf763305b4d231a3c4475fd970acbbb9282da7f Mon Sep 17 00:00:00 2001 From: Ric Harvey Date: Fri, 10 Feb 2017 10:05:52 +0000 Subject: [PATCH] Adds support for Real_ip in logs closes #106 --- README.md | 11 +++++++++++ conf/nginx-site-ssl.conf | 5 ++++- conf/nginx-site.conf | 5 ++++- scripts/start.sh | 19 +++++++++++++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5f4fb52..65c96bc 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,17 @@ sudo docker run -d -e 'GIT_NAME=full_name' -e 'GIT_USERNAME=git_username' -e 'GI ### Custom Nginx Config files Sometimes you need a custom config file for nginx to achieve this read the [Nginx config guide](https://github.com/ngineered/nginx-php-fpm/blob/master/docs/nginx_configs.md) +## REAL IP / X-Forwarded-For Headers +If you operate your container behind a load balancer, an ELB on AWS for example, you need to configure nginx to get the real IP and not the load balancer IP in the logs by using the X-Forwarded-For. We've provided some handy flags to let you do this. You need to set both of these to get this to work: +``` +-e "REAL_IP_HEADER=1" +-e "REAL_IP_FROM=Your_CIDR" +``` +For example: +``` +docker run -d -e "REAL_IP_HEADER=1" -e "REAL_IP_FROM=10.1.0.0/16" richarvey/nginx-php-fpm:latest +``` + ### Scripting and Templating Please see the [Scripting and templating guide](https://github.com/ngineered/nginx-php-fpm/blob/master/docs/scripting_templating.md) for more details. diff --git a/conf/nginx-site-ssl.conf b/conf/nginx-site-ssl.conf index 58fb391..c468409 100644 --- a/conf/nginx-site-ssl.conf +++ b/conf/nginx-site-ssl.conf @@ -19,10 +19,13 @@ server { sendfile off; # Add stdout logging - error_log /dev/stdout info; access_log /dev/stdout; + # Add option for x-forward-for (real ip when behind elb) + #real_ip_header X-Forwarded-For; + #set_real_ip_from 172.16.0.0/12; + location / { # First attempt to serve request as file, then # as directory, then fall back to index.html diff --git a/conf/nginx-site.conf b/conf/nginx-site.conf index 8b8ad77..d6fd777 100644 --- a/conf/nginx-site.conf +++ b/conf/nginx-site.conf @@ -12,10 +12,13 @@ server { sendfile off; # Add stdout logging - error_log /dev/stdout info; access_log /dev/stdout; + # Add option for x-forward-for (real ip when behind elb) + #real_ip_header X-Forwarded-For; + #set_real_ip_from 172.16.0.0/12; + location / { # First attempt to serve request as file, then # as directory, then fall back to index.html diff --git a/scripts/start.sh b/scripts/start.sh index ff1e521..d3341f6 100644 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -85,6 +85,25 @@ else sed -i "s/expose_php = On/expose_php = Off/g" /usr/local/etc/php-fpm.conf fi +# Pass real-ip to logs when behind ELB, etc +if [[ "$REAL_IP_HEADER" == "1" ]] ; then + sed -i "s/#real_ip_header X-Forwarded-For;/real_ip_header X-Forwarded-For;/" /etc/nginx/sites-available/default.conf + sed -i "s/#set_real_ip_from/set_real_ip_from/" /etc/nginx/sites-available/default.conf + if [ ! -z "$REAL_IP_FROM" ]; then + sed -i "s#172.16.0.0/12#$REAL_IP_FROM#" /etc/nginx/sites-available/default.conf + fi +fi +# Do the same for SSL sites +if [ -f /etc/nginx/sites-available/default-ssl.conf ]; then + if [[ "$REAL_IP_HEADER" == "1" ]] ; then + sed -i "s/#real_ip_header X-Forwarded-For;/real_ip_header X-Forwarded-For;/" /etc/nginx/sites-available/default-ssl.conf + sed -i "s/#set_real_ip_from/set_real_ip_from/" /etc/nginx/sites-available/default-ssl.conf + if [ ! -z "$REAL_IP_FROM" ]; then + sed -i "s#172.16.0.0/12#$REAL_IP_FROM#" /etc/nginx/sites-available/default-ssl.conf + fi + fi +fi + # Increase the memory_limit if [ ! -z "$PHP_MEM_LIMIT" ]; then sed -i "s/memory_limit = 128M/memory_limit = ${PHP_MEM_LIMIT}M/g" /usr/local/etc/php/conf.d/docker-vars.ini