How to keep peer ip on lxd container

christian_audebert · September 3, 2020, 8:31am

on ubuntu 18, i created lxd (4.0.3) container ubuntu:20.04 and installed apache,php-fpm on it.
apache work well in container.
but facing problem.
all connexion logged to apache are identified by ip 127.0.0.1
i wanted to use fail2ban, but in this case, it will be impossible to use it.

Question: how to config that to keep peer ip passing throug the bridge network ?

for info, actual lxd config

lxd init --dump

config: {}
networks:

config:
ipv4.address: 10.135.237.1/24
ipv4.nat: “true”
ipv6.address: fd42:be7e:ae67:dd87::1/64
ipv6.nat: “true”
description: “”
name: lxdbr0
type: bridge
storage_pools:
config:
size: 15GB
source: /var/snap/lxd/common/lxd/disks/default.img
zfs.pool_name: default
description: “”
name: default
driver: zfs
profiles:
config: {}
description: “”
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default

tomp · September 3, 2020, 8:52am

Please show output of lxc config show <instance name> --expanded?

tomp · September 3, 2020, 8:56am

However I am assuming you are using the proxy device and so the issue is likely that you need to enable the PROXY protocol on your proxy device and then configure Apache to use the external IP info that is passed through.

Set proxy_protocol=true on your proxy device see https://linuxcontainers.org/lxd/docs/master/instances#type-proxy
Enable proxy protocol in Apache, see https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

Alternatively, add a static IP to your instance and use the proxy device’s NAT mode.

christian_audebert · September 3, 2020, 8:57am

# lxc config show store --expanded
architecture: x86_64
config:
  boot.autostart: "true"
  image.architecture: amd64
  image.description: ubuntu 20.04 LTS amd64 (release) (20200804)
  image.label: release
  image.os: ubuntu
  image.release: focal
  image.serial: "20200804"
  image.type: squashfs
  image.version: "20.04"
  volatile.base_image: 97c470e427c425cf2ec4d7d55b6f1397ea55043c518b194a58fc6b9da426f540
  volatile.eth0.host_name: vethac282b3e
  volatile.eth0.hwaddr: 00:16:3e:de:1a:39
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
  store80:
    connect: tcp:127.0.0.1:80
    listen: tcp:0.0.0.0:80
    type: proxy
ephemeral: false
profiles:
- default
stateful: false
description: ""

tomp · September 3, 2020, 8:57am

I corrected your post to use backticks to wrap the config for clarity.

christian_audebert · September 3, 2020, 9:00am

confirm, it’s more readable .

christian_audebert · September 3, 2020, 9:11am

seen stupid, but, how to Set proxy_protocol=true on the proxy device ?

tomp · September 3, 2020, 9:13am

lxc config device set <instance> <device name> proxy_protocol=true

christian_audebert · September 3, 2020, 10:03am

WOW, FINE…
for other, how to get peer ip to apache on lxd container with proxy
assume container name is ‘store’ and rule name is ‘store80’
on lxc container , add rule to apache2 port 80,
lxc config device add store store80 proxy listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80 proxy_protocol=true

or add/change value in existing rule

lxc config device set store store80 proxy_protocol=true

in container:
ref: apache2 ip behind proxy
create file and add conf like this
vi /etc/apache2/conf-available/remoteip.conf

# recuperer les adresses ip du client renvoyées par le proxy
RemoteIPHeader X-Forwarded-For
# ici les adresse distantes auxquelles on fait confiance pour présenter une valeur RemoteIPHeader
RemoteIPTrustedProxy 127.0.0.1 ::1

a2enconf remoteip
a2enmod remoteip

add the directive in your defaut virtual host… ref: apache 2 mode_remoteip
apache dont respond without it when remoteip is enabled.
vi /etc/apache2/sites-available/000-default.conf

RemoteIPProxyProtocol On

and finaly,

systemctl restart apache2

to confirm working

tail -f /var/log/apache2/access.log

and navigate to your defaut server page…
http://<your host ip>