Reverse proxy, downstream Real-IP Topic is solved

[DomoticzCH]

hi all,

TLDR: request to implement logging of X-Real-IP

I am running Domoticz behind a NGINX reverse proxy with public IP access to connect from the Internet. Unfortunately, I don't see the X-Real-IP (or X-Forwarded-for header) from the downstream request (public IP) being passed to the upstream server (ie: Domoticz). In my Domoticz logs, I always see the IP address of my NGINX server (a private IP).

I realize that in the Domoticz settings you can set your reverse proxy IP address to require authentication, but this is not the problem here. I would really like to see in my logs from which downstream (Internet) IP address users are connecting from. Apart from an information point of view, this would also allow to setup fail2ban to mitigate brute force attacks.

So would it be possible to log the X-Real-IP header (if present) instead of the IP address? Should I request this on the GitHub page?

Thanks for your help!

[waaren]

So would it be possible to log the X-Real-IP header (if present) instead of the IP address? Should I request this on the GitHub page?

No but I moved this to the suggestions sub forum. If one of the developers is interested and want to spent time on it, she/he can create a Pull Request and after reviewing it could be integrated in a future version.

[DomoticzCH]

Thank you very much!

I think it's a fairly easy modification to the code (just check if X-Real-IP header is present and log that instead of "IP address"), and it would help everyone using a reverse proxy.

[waaren]

I think it's a fairly easy modification to the code (just check if X-Real-IP header is present and log that instead of "IP address")

Please feel free to create a PR for it.

[DomoticzCH]

Duh, I must have overlooked something... When I put my proxy's IP address in the corresponding field, I now get the real IP addresses in the log! So everything is already perfect

[waaren]

Duh, I must have overlooked something... When I put my proxy's IP address in the corresponding field, I now get the real IP addresses in the log! So everything is already perfect

Can you please review this wiki page and advise if something needs more clarification?

[DomoticzCH]

No, that page is perfect, and if I would have read it until the end, I would have made less of a fool of myself
Especially the end which starts with "Please Note" !

[hestia]

Hi,
I did it like this with Synology

reverseProxy.png (16.23 KiB) Viewed 1148 times

I think there is a typo in the wiki
X-Forwarded_Proto => X-Forwarded-Proto

[waltervl]

I think there is a typo in the wiki
X-Forwarded_Proto => X-Forwarded-Proto

Fixed, thanks for reporting.

[hestia]

thanks