Docker inside LXD container. Nginx problem

friki67 · November 2, 2022, 11:59am

I’ve set up a nginx container (linuxserver SWAG) in docker, inside a LXD Opensuse Tumbleweed container. It is working ok, I can access my services from outside.

My problem is that I’m not able to identify the origin of any petition, because nginx always “sees” the same ip: 172.18.0.1 (the docker default bridged network).

If I run docker outside the LXD container, in the host, nginx “sees” the real ip that originates the petition.

After launching the container, I’ve done this:

lxc config set t1 security.nesting=true security.syscalls.intercept.mknod=true security.syscalls.intercept.setxattr=true

lxc network attach lxdbr0 t1 eth0
lxc config device set t1 eth0 ipv4.address 192.168.5.101
lxc restart t1

lxc config device add t1 p443 proxy listen=tcp:0.0.0.0:443 connect=tcp:127.0.0.1:443`

The YAML for the nginx docker container has cap_add: - NET_ADMIN. Just to let you know.

Then installed docker and created the container for nginx and configured it. As said, it works, but it doesn’t log/“sees” the right origin ip’s.

What am I missing? Do you need some more information to help me?

michacassola · November 2, 2022, 8:33pm

Hey, quick look in the docs made me delete all the nginx real_ip stuff I had already written, have a look here:

The proxy device also supports a nat mode where packets are forwarded using NAT rather than being proxied through a separate connection. This has benefit that the client address is maintained without the need for the target destination to support the PROXY protocol (which is the only way to pass the client address through when using the proxy device in non-NAT mode).

So I guess:

lxc config device add t1 p443 proxy listen=tcp:0.0.0.0:443 connect=tcp:127.0.0.1:443 nat=true

The good thing is you have this going already:

(requires instance NIC has static IP address)

friki67 · November 3, 2022, 7:57am

Thank you very much. The nat=true parameter fixed this issue.

I have to specify the IP in the NIC, and the IP in the instance (that was fixed before), so the command is:

lxc config device add t1 p443 proxy listen=tcp:192.168.66.60:443 connect=tcp:192.168.5.101:443 nat=true

and all is working!