How to get remote IP inside container with Nginx reverse-proxy in front?

Docker Engine General
1

Hello there,

i drive some webapps as Docker containers in a virtual server environment (VPS of a hoster). Setting up the Docker network and containers is done and it looks like this:

image
image853×312 10.8 KB

The ufw-rules only allow traffic from the VPS network-card (from the Internet) passed to the Nginx reverse-proxy container.

Before going to play with X-Forward X-Real-IP stuff i’ve had a look into the logs of the reverse-proxy and find the real remote IP listed but sometimes also only 172.18.0.1 listed there, even if both requests heading towards the same app endpoint.

I see not rule why it sometimes is the one and sometimes the other way?

Some more background information, if helpfull

The containers are all setup to use the “bridge” driver, as i need to use same ports on my apps (:80 and :8080 is often used). I also do not want to expose a direct connection to them to the Internet.

The Docker network (from the schema above) setup is:

[
    {
        "Name": "data_nginx_network",
        "Id": "fecea022afefdd20751c89a.......................20303a60458b96d576ca",
        "Created": "2025-01-19T13:00:07.4224522+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,

The Docker “bridge” is

[
    {
        "Name": "bridge",
        "Id": "bdf3d7d006d833ef84284fa9e1.................cc480062aaaee1373d5",
        "Created": "2025-03-02T07:22:27.46522856+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

I’m using Docker version 28.0.1, build 068a01e and nginx version 1.27.4

2

Are your target services making outbound requests themselves?

3

Some of them, yes. They do contact Internet-services themselfs. But most are just doing inbound and connection to other containers (DB, etc.).

Do you have an explanation why it sometimes is able to get the right IP and sometimes not? I think what is shown in the logs would also be if i start using remote-IP forwarding to other containers using the various X- properties?

If i understood right, Docker uses NAT inside. So the connection comming from the network interface of the host, but also those comming from Docker containers are NATed. Maybe the UFW firewall and IPv6 play some role here as well?

Now i see that Docker networking is using “iptables” of my host, there are plenty of rules in there. Also ufw has added lot’s of rules to iptables.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.