Caddy proxied traffic in vm appears to come from host's IP instead of original request's IP


(chateau) #1

Hello, I hope I’m not asking something that’s already answered somewhere, but I didn’t manage to figure it out with infos I found.

I am using caddy to proxy traffic to a virtual machine. In the vm, nginx handles the requests. The problem I have is that the vm identifies the requests as coming from the host’s IP, but I need the vm to get the original requests IP.
I use the following config:

(toVM {
    gzip
    proxy / https://myvm {
        transparent
        insecure_skip_verify
    }
}
mysub.domain.tld {
    import toVM
}

From my understanding the transparent preset should achieve my goal since it sets header_upstream X-Real-IP {remote} but somehow, when I check nginx logs in the vm, any request made appears to be coming from the host’s IP.

Did I misunderstand/misconfigure something?


(Gorian) #2

Have you looked at https://caddyserver.com/docs/http.realip? It sounds like it does exactly what you are wanting.


(chateau) #3

Hey @Gorian thanks a lot for your answer. I’ve been reading and rereading the http.realip description, and my understanding of it, is that it would restore the IP from a header if caddy was behind a proxy. Did I understand right? Because my case is the opposite: caddy is the proxy, and nginx in the vm is getting the wrong IP address.

It looks something like this:

        user (IP: 11.222.333.444)
          |
          | (request's IP is: 11.222.333.444)
          v
        host (IP: 192.168.xxx.xxx)
          |
          | (request's IP is now: 192.168.xxx.xxx)
          v
   virtual machine => nginx gets host's IP: 192.168.xxx.xxx

and I would like something like this:

        user (IP: 11.222.333.444)
          |
          | (request's IP is: 11.222.333.444)
          v
        host (IP: 192.168.xxx.xxx)
          |
          | (request's IP is still appearing to be: 11.222.333.444)
          v
   virtual machine => nginx gets user's IP: 11.222.333.444

I don’t know if that’s possible.
From your answer, I imagine that I could configure the VM’s nginx to restore the IP address from the request headers (the ones transmitted by caddy with the transparent preset).
But since the original problem I have is that fail2ban is identifying all requests as coming from the host’s IP, I doubt modifying nginx config would help since from my understanding fail2ban is before nginx.
So I’m looking for a solution to configure the host so it proxies request to the vm and make them appear as if they were coming from the user’s IP.


(chateau) #4

Not knowing if it’s possible to configure the host to redirect the IP like I described, and even less knowing how, I finally decided to configure nginx in the vm with ngx_http_realip_module plugin so it restores the original requests IP from the header. It was fairly simple to do.
Thanks @Gorian for putting me on the right track :slight_smile: