Incorrect request IP address received by proxy

[chaptergy]

It might happen that you create an access list, but it's always forbidden. Or you look at the access logs and all requests are from the same IP address. This is because docker proxies all requests sent to the container, and replaces the IP address with it's own. There are multiple ways to fix this.

Note: If you Nginx Proxy Manager instance is outside your local network, you will never be able to get the local IP of the device, only the public IP address.

Option 1: Disable the docker userland proxy

The userland proxy is doing exactly what's described above. Furthermore disabling this proxy will probably increase the throughput of your proxy. Disabling it by default is actually considered by the docker team.

Note: This option is not available in a Docker rootless installation, on Docker for Mac and Docker for Windows

On the host running the docker containers create a new file (or edit it if it exists) /etc/docker/daemon.json. Then add the following json data:

{
    "userland-proxy": false
}

Restart the docker daemon by running

sudo systemctl restart docker

Option 2: Set the specific ports to host mode

Changing the ports where the IP address should be preserved to host mode is also an option. Just change this in your docker-compose file

ports:
  - '80:80'
  - '443:443'

to

ports:
      - target: 443
        published: 443 # Outside port
        mode: host
        protocol: tcp
      - target: 80
        published: 80 # Outside port
        mode: host
        protocol: tcp

Option 3: Set the entire container to host mode

You can also set your entire container to network mode host. But this way you will no longer be able to map and expose ports, but port 80, 81 and 443 will always be used. As you can't un-expose the admin panel, this method is not suggested.

services:
  app:
    ...
    network_mode: host  # This is relevant
    ....

[begunfx]

Restart docker on Synology use the following command:

sudo systemctl restart pkg-ContainerManager-dockerd

[begunfx]

If you are installing this on a Synology server, and the above suggestions don't work, then the solution may be as follows:

Synology workaround fix for this!

I found a solution for this if you are trying to run NPM (Docker) on a Synology. It seems that there are some pre-routing rules that need to be added to the Synology host for the IP addresses to report the client and not Docker.

I found this post with the solution:

https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

The short of it is you need to apply the following iptable rules on Synology (cli):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER

Only catch is that these changes will not sustain post reboot.

In order for that to happen you need to create a boot-up task in the task scheduler and add the script he created so that the rule changes are applied every startup.

I tested the rule changes and it seems I can now properly use the Access List and restrict access to local (LAN) only.
script and instructions here:

https://gist.github.com/pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9

[alcayaga]

If you are running Rootless mode you need to change the network driver to slirp4netns or pasta https://docs.docker.com/engine/security/rootless/#docker-run--p-does-not-propagate-source-ip-addresses

Also you need you need to set the kernel variable net.ipv4.ip_unprivileged_port_start for privileged ports (80 and 443). Using cap_net_bind_service on the process executable doesn't work for those drivers.