diff --git a/README.md b/README.md index c27d224..ef98a25 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,19 @@ Test the web app curl http://localhost:8080/ ``` ## Expose the app on Internet behind the reverse proxy (Traefik) +Create a 'labels' file for Traefik +```bash +sudo tee labels </dev ExecStart=/usr/bin/env docker run \ --rm \ --name=virt-nexus-timer \ - --cap-drop=ALL \ - --read-only \ - --user=997:1002 \ - --log-driver=none \ - --network=traefik \ - --label 'traefik.enable=true' \ - --label 'traefik.docker.network=traefik' \ - --label 'traefik.http.routers.virt-nexus-timer.rule=Host("nexus-timer.virtonline.eu")' \ - --label 'traefik.http.routers.virt-nexus-timer.service=virt-nexus-timer' \ - --label 'traefik.http.routers.virt-nexus-timer.tls=true' \ - --label 'traefik.http.routers.virt-nexus-timer.tls.certResolver=default' \ - --label 'traefik.http.routers.virt-nexus-timer.entrypoints=web-secure' \ - --label 'traefik.http.services.virt-nexus-timer.loadbalancer.server.port=80' \ + --network=traefik-net \ + --label-file /opt/nexus-timer/labels \ virt-nexus-timer ExecStop=-/usr/bin/env sh -c '/usr/bin/env docker kill virt-nexus-timer 2>/dev/null || true' diff --git a/nginx.conf b/nginx.conf index eb2149a..c98353d 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,12 +1,47 @@ +# Existing log format often uses $remote_addr by default +# log_format main '$remote_addr - $remote_user [$time_local] "$request" ' +# '$status $body_bytes_sent "$http_referer" ' +# '"$http_user_agent" "$http_x_forwarded_for"'; + +# Add these lines within the http {} block, OR server {} block +# (http block is generally preferred for these directives) +# Make sure they are *before* the access_log directive if possible. + +# --- Real IP Configuration --- +# Replace with the ACTUAL IP range(s) of your Traefik Docker network(s) +set_real_ip_from 172.22.0.0/16; # Example: Trust IPs from this subnet +# You can add multiple set_real_ip_from lines if needed +# set_real_ip_from 192.168.1.0/24; # Example if Traefik was also on another network + +# Which header contains the real client IP? +# X-Forwarded-For handles multiple proxies better. X-Real-IP is simpler if only Traefik. +real_ip_header X-Forwarded-For; + +# If using X-Forwarded-For, tell Nginx how to process it. +# 'on' means find the *last* IP address that is NOT from a trusted proxy. +# This is usually correct when behind one or more trusted proxies. +real_ip_recursive on; +# --- End Real IP Configuration --- + + server { listen 80; listen [::]:80; server_name localhost; + # Use the 'realip' processed $remote_addr in logs + # Ensure your access_log format uses $remote_addr (like 'combined' or 'main') + access_log /var/log/nginx/access.log combined; # Or your preferred format using $remote_addr + root /usr/share/nginx/html; index index.html; location / { try_files $uri $uri/ /index.html; } -} \ No newline at end of file +} + +# It's common practice to put realip config in the http block +# If your default.conf is included inside an existing http block in nginx.conf, +# placing the realip directives *outside* the server block but *inside* http is standard. +# If this file IS your entire http block, place them just before the server block. \ No newline at end of file