IP address detection / Traefik config #29

New Issue

nickdickinson · 2022-01-13T20:44:31Z

nickdickinson commented

2022-01-13 20:44:31 +00:00

I have been using the Wordfence plugin for security and to blacklist known malicious IPs. Unfortunately, since moving to Abra, the plugin does not detect anymore the IP of visitors and rather detects the internal network IP from docker I assume. Since then I've been getting a lot of spam and the blacklist does not work obviously.

Here is a screenshot of the various options for IP detection, all of which do not work. Basically, it comes down to (I imagine) configuration of the proxy/Traefik I guess to ensure that X-Forwarded-For is correctly set. Has anyone else run into this problem? Any ideas which configuration needs to be adjusted? I googled around but realized I don't yet know enough about Traefik / abra to do this on my own yet and I wonder if anyone else has also faced this.

I have been using the Wordfence plugin for security and to blacklist known malicious IPs. Unfortunately, since moving to Abra, the plugin does not detect anymore the IP of visitors and rather detects the internal network IP from docker I assume. Since then I've been getting a lot of spam and the blacklist does not work obviously. Here is a screenshot of the various options for IP detection, all of which do not work. Basically, it comes down to (I imagine) configuration of the proxy/Traefik I guess to ensure that X-Forwarded-For is correctly set. Has anyone else run into this problem? Any ideas which configuration needs to be adjusted? I googled around but realized I don't yet know enough about Traefik / abra to do this on my own yet and I wonder if anyone else has also faced this. ![image](/attachments/b734af61-78ce-48e5-ac4e-56257b2007a4)

image.png

77 KiB

decentral1se commented

2022-01-25 10:05:05 +00:00

https://wordpress.org/support/article/administration-over-ssl/#using-a-reverse-proxy

😱

https://wordpress.org/support/article/administration-over-ssl/#using-a-reverse-proxy 😱

decentral1se commented

2022-01-25 10:09:20 +00:00

https://github.com/docker-library/wordpress/issues/383

😱

https://github.com/docker-library/wordpress/issues/383 😱

decentral1se commented

2022-01-25 10:13:11 +00:00

docker run -it --entrypoint="" wordpress:latest cat /etc/apache2/apache2.conf

😱

`docker run -it --entrypoint="" wordpress:latest cat /etc/apache2/apache2.conf` 😱

decentral1se commented

2022-01-25 10:15:08 +00:00

Random braindump for this fix is:

figure out how to config apache2.conf to pass ips
add a compose.forwardip.yml with an additional apache2.conf.tmpl

Random braindump for this fix is: - figure out how to config `apache2.conf` to pass ips - add a `compose.forwardip.yml` with an additional `apache2.conf.tmpl`

3wordchant commented

2022-12-22 03:12:46 +00:00

When I ran into this (for Mailu? don't remember), it turned out that with Traefik + swarm, you had to use host network mode to get the real source IPs for any app.

This is caused due to the additional "overlay" network; you can bypass this by using "host" networking
— https://community.traefik.io/t/whitelist-swarm-cant-get-real-source-ip/3897/2

To overcome this, you can use the new way of declaring service ports in docker-compose >=3.2 (LONG SYNTAX).

Then you ensure that traefik is attached to host network and will send the right X-Forwarded-For header (see below mode: host for the 80 port):
version: "3.2"
services:
  traefik:
    ...
    ports:
     - "8080:8080"
     - target: 80
        published: 80
        protocol: tcp
        mode: host
      - "443:443"
— https://stackoverflow.com/a/44648488/14269772

It looks like it might alternatively be possible with some iptables rules:

On synology NAS i had to add iptable rule to see origin IP in containers.

iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER

https://gist.github.com/pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9
— https://www.reddit.com/r/Traefik/comments/x48zvv/comment/inv32rt/?utm_source=reddit&utm_medium=web2x&context=3

When I ran into this (for Mailu? don't remember), it turned out that with Traefik + swarm, you had to use `host` network mode to get the real source IPs for any app. > This is caused due to the additional "overlay" network; you can bypass this by using "host" networking > — https://community.traefik.io/t/whitelist-swarm-cant-get-real-source-ip/3897/2 > To overcome this, you can use the new way of declaring service ports in docker-compose >=3.2 (LONG SYNTAX). > > Then you ensure that traefik is attached to host network and will send the right X-Forwarded-For header (see below mode: host for the 80 port): > > ``` > version: "3.2" > services: > traefik: > ... > ports: > - "8080:8080" > - target: 80 > published: 80 > protocol: tcp > mode: host > - "443:443" > ``` > > — https://stackoverflow.com/a/44648488/14269772 It looks like it might alternatively be possible with some `iptables` rules: > On synology NAS i had to add iptable rule to see origin IP in containers. > > `iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER` > > https://gist.github.com/pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9 > — https://www.reddit.com/r/Traefik/comments/x48zvv/comment/inv32rt/?utm_source=reddit&utm_medium=web2x&context=3

3wordchant commented

2023-01-13 23:53:43 +00:00

"host" mode networking seems to have fixed this 😌 staying tuned for news

decentral1se commented

2023-01-16 17:56:52 +00:00

Think it's sorted, yep! Well Done 👏

decentral1se closed this issue

2023-01-16 17:56:53 +00:00

Sign in to join this conversation.

No Label

No Milestone

No Assignees

3 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/wordpress#29