Add configurable real IP header variables for Apache and NGINX#667
Open
ps-20x wants to merge 1 commit intoserversideup:mainfrom
Open
Add configurable real IP header variables for Apache and NGINX#667ps-20x wants to merge 1 commit intoserversideup:mainfrom
ps-20x wants to merge 1 commit intoserversideup:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make real client IP header configurable for Apache and NGINX
Problem
The real client IP header is currently hardcoded to
CF-Connecting-IPin both the Apache and NGINX configurations. This works well for deployments sitting directly behind Cloudflare, but users behind other reverse proxies (Traefik, AWS ALB, Kubernetes ingress, generic NGINX, etc.) have to either setDISABLE_DEFAULT_CONFIG, mount override files, or patch the shipped config in a derived image — just to change a single directive.This is especially inconvenient because the rest of the default configuration is usually still desirable; only the header name needs to change.
Real-world example: I run a WordPress site on Hetzner with
fpm-apachebehind Traefik as a reverse proxy. Traefik forwards the client IP viaX-Forwarded-For, but Apache never picks it up because the VHost templates hardcodeCF-Connecting-IP. The result: WordPress shows the internal Docker network IP (e.g.172.18.0.5) in password reset emails and WooCommerce order logs instead of the actual visitor IP. The only workaround was patching the templates in a derived image.Changes
Apache — new environment variable
APACHE_REMOTE_IP_HEADER(default:CF-Connecting-IP)Replaces the hardcoded header name in:
conf-available/remoteip.confvhost-templates/http.confvhost-templates/https.confsites-available/ssl-full.confUses Apache's native
${VAR}substitution at daemon startup — no init script changes needed.NGINX — new environment variable
NGINX_REAL_IP_HEADER(default:CF-Connecting-IP)Converts the NGINX real IP config into a template:
server-opts.d/remoteip.confProcessed via the existing
process_template/envsubstmechanism during container init.Documentation — both variables are added to the environment variable specification reference page.
Backward Compatibility
Both variables default to
CF-Connecting-IP. Existing deployments are completely unaffected — behavior only changes when a user explicitly sets a different value.Usage
Note on Trusted Proxies
This PR only makes the header name configurable. The trusted proxy CIDR list remains unchanged. Users switching away from Cloudflare should review whether the trusted proxy configuration matches their infrastructure.
Scope
This PR is intentionally narrow: configurable header name, preserved defaults, no changes to trusted proxy semantics or existing user behavior.