Requests with incorrect source IP from another network

Docker Engine Compose
1

Hi, I have a docker-compose.yml with three services (guacamole, guacd, postgres). Guacamole has a port forwarding from 8085 to 8080.

If a request comes from the same network 192.168.178.0/24 (e.g. nginx reverse proxy), the correct IP address is displayed as the source IP.

If a request comes from the 192.168.2.0/24 network (e.g. a client that is allowed to enter the DMZ directly via a firewall rule; no NAT), Guacamole displays the IP of the Docker gateway as the source IP.

I’m a bit at a loss at the moment. I’m not sure why in one case the correct IP is displayed and in the other case the IP of the Docker Gateway :thinking:

Thanks for any help :pray:

+---------------------+                     SRC-IP: 172.22.0.1
|    192.168.2.20     |-----------------------
|    Random Client    |                      |
+---------------------+                      |
                                             | Port: 8085
                                   +--------------------+
                                   |   192.168.178.20   |
                                   | Server with Docker |
                                   +--------------------+
                                             | Port: 8085
+---------------------+                      |
|    192.168.178.50   |                      |
| nginx reverse proxy |-----------------------
+---------------------+                     SRC-IP: 192.168.178.50

docker-compose.yml

version: '3.8'
services:
  guacdb:
    container_name: guacamoledb
    image: postgres:15-alpine
    restart: unless-stopped
    environment:
      ...
    volumes:
      - './db-data:/var/lib/postgresql/data'
  guacd:
    container_name: guacd
    image: guacamole/guacd:1.5.4
    restart: unless-stopped
    ports:
      - 4822:4822
  guacamole:
    container_name: guacamole
    image: guacamole/guacamole:1.5.4
    restart: unless-stopped
    ports:
      - 8085:8080
    environment:
      ...
    depends_on:
      - guacdb
      - guacd

volumes:
  db-data:

/etc/daemon.json

{
    "debug": true,
    "ipv6": false,
    "userland-proxy": false
}
2

This is a routing issue I guess. In one case the client and the server are in the same network, but not in the other. You could log in to the server and run this command too:

curl localhost:8005

The server would log that you came from the docker network gateway, which is probably 17.22.0.1

Then try it with your server ip.

curl SERVERIP:8005

And you will see your server IP in the logs too.

If you have a reverse proxy, I would send all requests through the reverse proxy. Normally I would run the reverse proxy on the same server and let the proxy connect to the containers through Docker networks. The proxy could also send the atual client ip to the containers instead of just showing the traffic came from the proxy.

1 Like
3

Thank you for your answer and the explanation. The reverse proxy on the same machine makes sense. I have tested this and you are right.

What I also noticed: If I activate the userland proxy in the daemon.json, the correct source IP is also displayed (without reverse proxy on the same machine). So the userland proxy probably does the same thing as the reverse proxy on the same machine. It’s really interesting. Many thanks again. :blush: