Adds support for Real_ip in logs closes #106

Ric Harvey · Ric Harvey · commit cbf763305b4d · 2017-02-10T10:05:52.000Z
diff --git a/README.md b/README.md
@@ -106,6 +106,17 @@ sudo docker run -d -e 'GIT_NAME=full_name' -e 'GIT_USERNAME=git_username' -e 'GI
 ### Custom Nginx Config files
 Sometimes you need a custom config file for nginx to achieve this read the [Nginx config guide](https://github.com/ngineered/nginx-php-fpm/blob/master/docs/nginx_configs.md) 
 
+## REAL IP / X-Forwarded-For Headers
+If you operate your container behind a load balancer, an ELB on AWS for example, you need to configure nginx to get the real IP and not the load balancer IP in the logs by using the X-Forwarded-For. We've provided some handy flags to let you do this. You need to set both of these to get this to work:
+```
+-e "REAL_IP_HEADER=1"
+-e "REAL_IP_FROM=Your_CIDR"
+```
+For example:
+```
+docker run -d -e "REAL_IP_HEADER=1" -e "REAL_IP_FROM=10.1.0.0/16" richarvey/nginx-php-fpm:latest
+```
+
 ### Scripting and Templating
 Please see the [Scripting and templating guide](https://github.com/ngineered/nginx-php-fpm/blob/master/docs/scripting_templating.md) for more details.
 
diff --git a/conf/nginx-site-ssl.conf b/conf/nginx-site-ssl.conf
@@ -19,10 +19,13 @@ server {
 	sendfile off;
 
 	# Add stdout logging
-
 	error_log /dev/stdout info;
 	access_log /dev/stdout;
 
+        # Add option for x-forward-for (real ip when behind elb)
+        #real_ip_header X-Forwarded-For;
+        #set_real_ip_from 172.16.0.0/12;
+
 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to index.html
diff --git a/conf/nginx-site.conf b/conf/nginx-site.conf
@@ -12,10 +12,13 @@ server {
 	sendfile off;
 
 	# Add stdout logging
-
 	error_log /dev/stdout info;
 	access_log /dev/stdout;
 
+        # Add option for x-forward-for (real ip when behind elb)
+        #real_ip_header X-Forwarded-For;
+        #set_real_ip_from 172.16.0.0/12;
+
 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to index.html
diff --git a/scripts/start.sh b/scripts/start.sh
@@ -85,6 +85,25 @@ else
  sed -i "s/expose_php = On/expose_php = Off/g" /usr/local/etc/php-fpm.conf
 fi
 
+# Pass real-ip to logs when behind ELB, etc
+if [[ "$REAL_IP_HEADER" == "1" ]] ; then
+ sed -i "s/#real_ip_header X-Forwarded-For;/real_ip_header X-Forwarded-For;/" /etc/nginx/sites-available/default.conf
+ sed -i "s/#set_real_ip_from/set_real_ip_from/" /etc/nginx/sites-available/default.conf
+ if [ ! -z "$REAL_IP_FROM" ]; then
+  sed -i "s#172.16.0.0/12#$REAL_IP_FROM#" /etc/nginx/sites-available/default.conf
+ fi
+fi
+# Do the same for SSL sites
+if [ -f /etc/nginx/sites-available/default-ssl.conf ]; then
+ if [[ "$REAL_IP_HEADER" == "1" ]] ; then
+  sed -i "s/#real_ip_header X-Forwarded-For;/real_ip_header X-Forwarded-For;/" /etc/nginx/sites-available/default-ssl.conf
+  sed -i "s/#set_real_ip_from/set_real_ip_from/" /etc/nginx/sites-available/default-ssl.conf
+  if [ ! -z "$REAL_IP_FROM" ]; then
+   sed -i "s#172.16.0.0/12#$REAL_IP_FROM#" /etc/nginx/sites-available/default-ssl.conf
+  fi
+ fi
+fi
+
 # Increase the memory_limit
 if [ ! -z "$PHP_MEM_LIMIT" ]; then
  sed -i "s/memory_limit = 128M/memory_limit = ${PHP_MEM_LIMIT}M/g" /usr/local/etc/php/conf.d/docker-vars.ini
