Skip to content

Webserver logs show public IP instead of client remote IP (nginx, traefik, X-Forwarded-For) #7640

New issue
New issue
Closed
Bug
Closed
Webserver logs show public IP instead of client remote IP (nginx, traefik, X-Forwarded-For)#7640
Bug
Labels
forgeThe package belongs to NethForgeverifiedAll test cases were verified successfully
Milestone
NethServer 8.6
@stephdl

Description

@stephdl
stephdl
opened on Sep 19, 2025

Steps to reproduce
Install ns8-webserver and configure a virtualhost to host some ressources

  1. Access the virtualhost running in your webserver with your browser
  2. Check the logs in journald, you will the access you are doing

Expected behavior
The logs should show the actual remote IP address of the HTTP client (e.g., 92.135.43.188), not the public IP address of the server (e.g., xxx.xxx.xxx.xxx).

Actual behavior
Before applying a custom configuration, nginx logs record only the server's public IP as the remote address, not the true HTTP client IP. Example:

Sep 19 15:12:37 ns8-leader nginx[4030]: xxx.xxx.xxx.xxx - - [19/Sep/2025:13:12:37 +0000] "GET /NethServer/dolibarr/7/repodata/ff9015f046235dcf8b4105f2515943cb5b322cf925af501a5fc0d28f26b33754-primary.xml.gz HTTP/1.1" 200 2873 "-" "Mozilla/5.0 ..." "92.135.43.188"

After mounting a custom configuration to /etc/nginx/nginx.conf, the remote IP is correctly logged, as seen below:

Sep 19 15:16:05 ns8-leader traefik[2381]: 92.135.43.188 - - [19/Sep/2025:13:16:05 +0000] "GET /releases/timestamp.txt HTTP/1.1" 200 65 "-" "-" 3373 "webserver1-smeserver.domain.com-http@file" "http://127.0.0.1:20019" 1ms

Components

  • NethServer 8
  • nginx
  • traefik

Custom configuration to mount (/etc/nginx/nginx.conf):

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush on;
    keepalive_timeout  65;

    #gzip  on;

    # Find the real IP coming from traefik, not the real public IP
    real_ip_header X-Forwarded-For;
    set_real_ip_from 0.0.0.0/0;   # réseau Docker bridge de Traefik
    real_ip_recursive on;

    include /etc/nginx/conf.d/*.conf;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    forgeThe package belongs to NethForgeverifiedAll test cases were verified successfully

    Type

    Bug

    Projects

    NethServer

    Status

    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions