Use real IP in docker/podman container

rugk · July 8, 2021, 7:16pm

1. Caddy version (`caddy version`):

# caddy version
v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=

2. How I run Caddy:

a. System environment:

Fedora CoreOS, systemd, podman

b. Command:

podman-compose up

c. Service/unit/compose file:

version: "3.7"

services:

  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      # […]
    volumes:
      - caddy_data:/data
      - caddy_config:/config
      - ${HOME:?HOME variable missing}/caddy-config/Caddyfile:/etc/caddy/Caddyfile:ro,Z
      # […]
    environment:
      # […]
      - MAIL_ACME=${MAIL_ACME:?MAIL_ACME variable missing}
    labels:
      - io.containers.autoupdate=registry

volumes:
  caddy_data:
    # always persist volume by forcing external creation
    # https://docs.docker.com/compose/compose-file/compose-file-v3/#external
    external: true
  caddy_config:

d. My complete Caddyfile or JSON config:

ip.domainnamehere.tldhere {
	tls {$MAIL_ACME}

	respond "{http.request.remote.host}"
}

3. The problem I’m having:

Now, under ip.domainnamehere.tldhere I expect to get a response with the IP of the client that is accessing the server.

However, I get the IP 10.0.2.100 of podman/Docker…

This is not what I expect. What can I do against that?

I know, I guess this is more of a Docker/podman question…

4. Error messages and/or full log output:

N/A

5. What I already tried:

I tried using {http.request.remote} instead, but again this just returns the port, too.

6. Links to relevant resources:

rugk · July 8, 2021, 7:27pm

Okay, well… I can of course choose host networking, but that will expose all ports opened in my container and potentially is not what I want…

network_mode: "host"

Is there any better method with docker/podman?

francislavoie · July 8, 2021, 8:14pm

I couldn’t say with certainty, because I don’t know how podman does its networking. But this issue seems like the relevant problem:

https://github.com/containers/podman/issues/5138

rugk · July 8, 2021, 8:25pm

Well… yes it seems that was an issue, however:

Also it should be documented that apps will always see 10.0.2.100 (or CNI IP) as the source address.

So… I don’t know whether that’s any better than 127.0.0.1…

Anyway, seems this is indeed related to rootless podman containers, and network_mode: "host" solves the problem, so I’m fine with that and mark it as the answer for now…

francislavoie · July 8, 2021, 8:39pm

Apparently you’re meant to use --network slirp4netns:port_handler=slirp4netns to get the fix

francislavoie · July 8, 2021, 8:42pm

The reason you were seeing that IP address is because of this change:

https://github.com/containers/podman/pull/9052

system · August 7, 2021, 7:16pm

This topic was automatically closed after 30 days. New replies are no longer allowed.