From a52dfde5172443f2d26c09bf92d5303d174b31be Mon Sep 17 00:00:00 2001 From: Paul Schnetzinger Date: Sun, 29 Mar 2026 15:23:39 +0200 Subject: [PATCH] Add configurable real IP header environment variables for Apache and NGINX --- .../docs/8.reference/1.environment-variable-specification.md | 2 ++ src/s6/etc/entrypoint.d/10-init-webserver-config.sh | 1 + src/variations/fpm-apache/Dockerfile | 1 + .../fpm-apache/etc/apache2/conf-available/remoteip.conf | 2 +- .../fpm-apache/etc/apache2/sites-available/ssl-full.conf | 4 ++-- .../fpm-apache/etc/apache2/vhost-templates/http.conf | 4 ++-- .../fpm-apache/etc/apache2/vhost-templates/https.conf | 4 ++-- src/variations/fpm-nginx/Dockerfile | 1 + .../server-opts.d/{remoteip.conf => remoteip.conf.template} | 2 +- 9 files changed, 13 insertions(+), 8 deletions(-) rename src/variations/fpm-nginx/etc/nginx/server-opts.d/{remoteip.conf => remoteip.conf.template} (95%) diff --git a/docs/content/docs/8.reference/1.environment-variable-specification.md b/docs/content/docs/8.reference/1.environment-variable-specification.md index 0b6d28f4..1958fe8b 100644 --- a/docs/content/docs/8.reference/1.environment-variable-specification.md +++ b/docs/content/docs/8.reference/1.environment-variable-specification.md @@ -16,6 +16,7 @@ Setting environment variables all depends on what method you're using to run you **Variable Name**|**Description**|**Used in variation** :-----:|:-----:|:-----: `APACHE_DOCUMENT_ROOT`
*Default: "/var/www/html/public"*|Sets the directory from which Apache will serve files. (Official docs)|fpm-apache +`APACHE_REMOTE_IP_HEADER`
*Default: "CF-Connecting-IP"*|Sets the HTTP request header used by `mod_remoteip` to identify the real client IP address. Change to `X-Forwarded-For` for non-Cloudflare reverse proxies. (Official docs)|fpm-apache `APACHE_HTTP_PORT`
*Default: "8080"*|Set the port for HTTP. (Official docs)|fpm-apache `APACHE_HTTPS_PORT`
*Default: "8443"*|Set the port for HTTPS. (Official docs)|fpm-apache `APACHE_MAX_CONNECTIONS_PER_CHILD`
*Default: "0"*|Sets the limit on the number of connections that an individual child server process will handle.(Official docs)|fpm-apache @@ -71,6 +72,7 @@ Setting environment variables all depends on what method you're using to run you `NGINX_FASTCGI_BUFFERS`
*Default: "8 8k"*|Sets the number and size of the buffers used for reading a response from a FastCGI server. (Official Docs)|fpm-nginx `NGINX_FASTCGI_BUFFER_SIZE`
*Default: "8k"*|Sets the size of the buffer used for reading a response from a FastCGI server. (Official Docs)|fpm-nginx `NGINX_LISTEN_IP_PROTOCOL`
*Default: "all"*|Set the IP protocol for NGINX to listen on. Valid values are "all", "ipv4", and "ipv6". (Official Docs)|fpm-nginx +`NGINX_REAL_IP_HEADER`
*Default: "CF-Connecting-IP"*|Sets the HTTP request header used by `ngx_http_realip_module` to identify the real client IP address. Change to `X-Forwarded-For` for non-Cloudflare reverse proxies. (Official Docs)|fpm-nginx `NGINX_SERVER_TOKENS`
*Default: "off"*|Display NGINX version in responses. (Official Docs)|fpm-nginx `NGINX_WEBROOT`
*Default: "`/var/www/html/public"*|Sets the root directory for requests. (Official Docs)|fpm-nginx `NGINX_CLIENT_MAX_BODY_SIZE`
*Default: "100M"*|Sets the max body size for requests. (Official Docs)|fpm-nginx diff --git a/src/s6/etc/entrypoint.d/10-init-webserver-config.sh b/src/s6/etc/entrypoint.d/10-init-webserver-config.sh index a34608d7..a2eff229 100644 --- a/src/s6/etc/entrypoint.d/10-init-webserver-config.sh +++ b/src/s6/etc/entrypoint.d/10-init-webserver-config.sh @@ -137,6 +137,7 @@ if [ "$DISABLE_DEFAULT_CONFIG" = false ]; then enable_apache_conf remoteip security serversideup enable_apache_site "$SSL_MODE" elif [ "$SERVER_TYPE" = "NGINX" ]; then + process_template /etc/nginx/server-opts.d/remoteip.conf.template /etc/nginx/server-opts.d/remoteip.conf process_template /etc/nginx/nginx.conf.template /etc/nginx/nginx.conf process_template /etc/nginx/site-opts.d/http.conf.template /etc/nginx/site-opts.d/http.conf process_template /etc/nginx/site-opts.d/https.conf.template /etc/nginx/site-opts.d/https.conf diff --git a/src/variations/fpm-apache/Dockerfile b/src/variations/fpm-apache/Dockerfile index 3d4e52f5..47341096 100644 --- a/src/variations/fpm-apache/Dockerfile +++ b/src/variations/fpm-apache/Dockerfile @@ -47,6 +47,7 @@ ENV APACHE_DOCUMENT_ROOT=/var/www/html/public \ APACHE_THREADS_PER_CHILD="25" \ APACHE_MAX_REQUEST_WORKERS="150" \ APACHE_MAX_CONNECTIONS_PER_CHILD="0" \ + APACHE_REMOTE_IP_HEADER="CF-Connecting-IP" \ APACHE_RUN_USER="www-data" \ APACHE_RUN_GROUP="www-data" \ APP_BASE_DIR=/var/www/html \ diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/remoteip.conf b/src/variations/fpm-apache/etc/apache2/conf-available/remoteip.conf index 59724b0a..e13fb552 100644 --- a/src/variations/fpm-apache/etc/apache2/conf-available/remoteip.conf +++ b/src/variations/fpm-apache/etc/apache2/conf-available/remoteip.conf @@ -1,4 +1,4 @@ -RemoteIPHeader CF-Connecting-IP +RemoteIPHeader ${APACHE_REMOTE_IP_HEADER} RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 diff --git a/src/variations/fpm-apache/etc/apache2/sites-available/ssl-full.conf b/src/variations/fpm-apache/etc/apache2/sites-available/ssl-full.conf index 056ddde9..9ef119ab 100644 --- a/src/variations/fpm-apache/etc/apache2/sites-available/ssl-full.conf +++ b/src/variations/fpm-apache/etc/apache2/sites-available/ssl-full.conf @@ -3,8 +3,8 @@ ServerName localhost ServerAdmin webmaster@localhost - # Set CloudFlare Real IP - RemoteIPHeader CF-Connecting-IP + # Set Real IP header + RemoteIPHeader ${APACHE_REMOTE_IP_HEADER} # Turn on rewrite engine RewriteEngine On diff --git a/src/variations/fpm-apache/etc/apache2/vhost-templates/http.conf b/src/variations/fpm-apache/etc/apache2/vhost-templates/http.conf index 5684f34d..b08af151 100644 --- a/src/variations/fpm-apache/etc/apache2/vhost-templates/http.conf +++ b/src/variations/fpm-apache/etc/apache2/vhost-templates/http.conf @@ -2,8 +2,8 @@ ServerName localhost ServerAdmin webmaster@localhost -# Set CloudFlare Real IP -RemoteIPHeader CF-Connecting-IP +# Set Real IP header +RemoteIPHeader ${APACHE_REMOTE_IP_HEADER} # Configure main document root DocumentRoot ${APACHE_DOCUMENT_ROOT} diff --git a/src/variations/fpm-apache/etc/apache2/vhost-templates/https.conf b/src/variations/fpm-apache/etc/apache2/vhost-templates/https.conf index f2831f45..9ffcdede 100644 --- a/src/variations/fpm-apache/etc/apache2/vhost-templates/https.conf +++ b/src/variations/fpm-apache/etc/apache2/vhost-templates/https.conf @@ -7,8 +7,8 @@ Protocols h2 http/1.1 SSLProtocol -all +TLSv1.2 +TLSv1.3 -# Set CloudFlare Real IP -RemoteIPHeader CF-Connecting-IP +# Set Real IP header +RemoteIPHeader ${APACHE_REMOTE_IP_HEADER} # Configure main document root DocumentRoot ${APACHE_DOCUMENT_ROOT} diff --git a/src/variations/fpm-nginx/Dockerfile b/src/variations/fpm-nginx/Dockerfile index 83518d33..676c552e 100644 --- a/src/variations/fpm-nginx/Dockerfile +++ b/src/variations/fpm-nginx/Dockerfile @@ -127,6 +127,7 @@ ENV APP_BASE_DIR=/var/www/html \ NGINX_HTTP_PORT="8080" \ NGINX_HTTPS_PORT="8443" \ NGINX_LISTEN_IP_PROTOCOL="all" \ + NGINX_REAL_IP_HEADER="CF-Connecting-IP" \ NGINX_SERVER_TOKENS=off \ NGINX_WEBROOT=/var/www/html/public \ NGINX_CLIENT_MAX_BODY_SIZE="100M" \ diff --git a/src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf b/src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf.template similarity index 95% rename from src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf rename to src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf.template index 22c36bf6..37c5af2f 100644 --- a/src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf +++ b/src/variations/fpm-nginx/etc/nginx/server-opts.d/remoteip.conf.template @@ -32,5 +32,5 @@ set_real_ip_from 2a06:98c0::/29; set_real_ip_from 2c0f:f248::/32; # Set RealIP header -real_ip_header CF-Connecting-IP; +real_ip_header ${NGINX_REAL_IP_HEADER}; real_ip_recursive on; \ No newline at end of file