Logfiles of nginx behind nginx proxy

Hi

I have a nginx reverse proxy forwarding request to the backend service which is running in a container. The service is Nextcloud.

I’ve set up Crowdsec agent with collections Nextcloud and nginx.

But as far as I see, the nginx parsing is not working due to the container’s proxy (and probably would also not work with the original proxy).

This is what I see:

a) The log entry on the reverse proxy itself (before proxying to the backend service):

46.126.202.xxx - - [08/Mar/2022:17:21:18 +0100] "GET /index.php/204 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.19.0"

b) The same request as arrived on the backend system where the Crowdsec agent is running:

10.0.2.100 - - [08/Mar/2022:16:21:18 +0000] "GET /index.php/204 HTTP/1.1" 204 0 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.19.0" "46.126.202.xxx"

10.0.2.100 is the podman network, I assume docker is doing this similar. The original requester’s ip is now at the end of the log entry.

What is the best way to get the detection of the ip fixed for the nginx scenarios?

That’s a good question. I’m using Docker myself and have never heard of anyone having that problem there. So I can only assume that this is a podman specific issue that I unfortunately can’t help you with. I am sure someone has found a solution to this as it does appear to be a very generic thing.

I solved it for me by using mod_realip in nginx. But this is a general parsing issue, I know of parsers for fail2ban testing for the later ip in fovor of the first one and use it for processing if available,

1 Like