71de5038-f8d1-4214-81d4-290481deb483

you would need to have nginx trust the applicable header that cloudflare sets

I've already done that. It didn't help, because I'm deploying a docker image and docker changes it.

https://forums.docker.com/t/docker-overrides-remote-addr-and-forwarded-for-headers-to-the-bridge-network-ip/138485

I'm sorry but docker is not overriding the CF-Connecting-IP header that cloudflare is setting, you have the wrong idea there

no docker overwrites the $remote_addr after I've set it with the value from CF-Connecting-IP with nginx. I can reproduce this behaviour locally.

that would be down to a misconfiguration. instead, I highly recommend caddy.
with caddy you can very easily set the header to that of what cloudflare sets

and then set the trusted ips to accept the header from

I have a few example Caddyfiles and straightforward methods to serve your app with caddy, so let me know if you're interested in that!

I don't have a problem with the configuration, because I'm seeing the value from cloudflare. My problem is that I'm not able to setup a network for my docker image on railway, the way I can set it up locally, by passing --net=host when I run the container.

in NGINX I'm seeing the docker network's gateway IP and not the real remote addr

I don't have a problem with the configuration, because I'm seeing the value from cloudflare

im confused, can you or can you not see the correct ip in your logs?

No, I can't see the correct IP in my logs.

then why was this said?

I'm seeing the value from cloudflare
you are giving very conflicting information

that is my problem. and the solution that I've figured out locally was to setup my docker differently. hence the question - is it possible to do that on railway as well

of course not, but with the correct configuration there would be no need to

ok, and what would be the correct configuration for my case - nginx + angular2 in a docker image?

I've already set up remote ip mod for nginx and it's working on my local machine

but only if I add --net=host to docker run

what ip are you seeing then?

127.0.0.1

yeah thats definitely a misconfiguration, id be happy to help you get this setup with caddy!

I'm not familiar with caddy, is there no example for nginx?

i dont either of us are too familiar with nginx, i only have examples for caddy, so ill try to get a proof of concept working with caddy

ok, thanks. I don't think I would be using caddy now. I'll try and figure out a way with nginx.

caddy is pretty simple, may i ask why the want to use nginx instead? its config is obviously giving you a bit of troubles

because I don't want to switch to yet another new technology and also I'm not convinced that this is a web server/reverse proxy configuration issue, since I'me getting a result by running docker differently.

i assure you this isnt down to railway doing anything incorrectly

I'm not suggesting that. I just need to understand how railway handles docker networks.

by default docker uses bridge network

im not seeing how docker comes into play here as long as your configurations are correct, your app sits behind a proxy on railway, and then another proxy from cloudflare, you simply need to trust the local ips and cloudflares ips, then pull the client ip from the header that cloudflare sets

https://forums.docker.com/t/docker-overrides-remote-addr-and-forwarded-for-headers-to-the-bridge-network-ip/138485

cloudflare -> docker network -> nginx -> docker container

in docker network happens the thing that's descriped in the post

cloudflare -> railway proxy -> nginx (your app)

yes railway proxy also somewhere in between, but I'm sure railway is passing headers correctly. I'm seeing that.

what's messing the headers is the docker network I think

why not just straight log the header?

please remove this notion of the docker network causing you issues, i get that you can change it locally and have it work, but with the correct configurations you do not need to change the network.

again, i am still offering you a drop in pre-made solution with caddy.

with caddy, logging the client ip thats set by cloudflare is as simple as a 1 line config

exactly the same thing I'm doing in nginx

setrealip_from
…
trusted ips
…

realipheader cf-connecting-ip;
realiprecursive on;

🙂

what ips are you trusting?

the ones from

https://www.cloudflare.com/ips-v4
and
https://www.cloudflare.com/ips-v6

now that you're mentioning it, perhaps I need to trust the railway proxy ips too

I thought you where already doing that, my bad

In the end it worked by trusting the railway IPs. However the really ngxhttprealipmodule didn't store the value where it says in the documentations it would. Instead in realipremoteaddr it was stored in $remoteaddr. It took me also some time to figure this out. Very strange.

Thank you for talking to me. It helped clearing up the the issue. 😀

happy to help where I can!