Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Solving Real-IP issue running Kopano-Web behind reverse proxy in Docker

    Kopano WebApp
    docker real-ip fail2ban reverse proxy
    1
    1
    2735
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TosoBoso
      TosoBoso last edited by TosoBoso

      All,
      I’d like to share my solution for getting the clients real-Ip exposed in log files when running Kopano in Docker, in my case Kopano4S.

      My proposal includes a feature request to the community respectively Kopano to make failed logins visible in error log other than nginx as Z-Push is doing so.

      Problem Statement:
      Web-Client requests are not traceable as IP address gets masked by Docker when running in default bridge mode to private IPs making fail2ban unusable.
      Even simple Reverse-Proxy directives X-Forwarded-For appear not to work which seems to be linked to Dockers userland-proxy exposing ports.

      Solution(s):
      Considering the sledgehammer solution approach running Docker in host mode should be used with caution here is a smarter solution maintaining containerized NW.

      • Front-End NGINX outside Docker passing Real-IP plus X-Forwarded-For:

      On your Unix server outside Docker aka the Docker host have the following configuration (sample webapp location section as used on Synology for Kopano4S)

      location ^~ /webapp/ {
      proxy_pass https://127.0.0.1:9443;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_intercept_errors on;
      proxy_http_version 1.1;
      }

      • Back-End NGINX inside Docker passing Real-IP to PHP and custom access log:

      In nginx.conf http basic section set custom log and in conf.d/ section ensure Real-IP is always set plus passed to PHP

      http {
....
        # Logging Settings
        # we adjust log format to see the real_ip from clients instead of docker_host_ip
        log_format custom_combined '$http_x_real_ip - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
        access_log /var/log/kopano/nginx-access.log custom_combined;
        error_log /var/log/kopano/nginx-error.log info;
.....
}

      server {
 listen 0.0.0.0:9443 ssl; 
.....
 # ensure http_x_real_ip is set so we use it in access log instead of remote_addr
 if ($http_x_real_ip = '') { set $http_x_real_ip $remote_addr; }
.....
 location ~ \.php$ {
	try_files $uri =404;
	include fastcgi.conf;
	include fastcgi_params;
	# we pass real_ip as remote address to php so we get the client instead of docker host ip
	fastcgi_param REMOTE_ADDR $http_x_real_ip;
	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 }

      Hope that helps. -TosoBoso

      1 Reply Last reply Reply Quote 0
      • First post
        Last post