You are performing another reverse proxy from apache to monit. You will need to check whether monit can use the X-Forwarded-For header or supports the proxy protocol and then make Apache use it.
This isn’t specific to LXD proxy as it is another layer beyond that now.
Alternatively if monit returns a specific HTTP error response when an invalid login is used, could you get fail2ban to inspect the apache logs for failed “/monit” requests?
That means it probably doesnt support the proxy protocol. Maybe it can use the X-Forwarded-For header from Apache, or see my comment about parsing the apache logs instead.
Finally, the other option is to use the nat=true mode on the LXD proxy device which will always pass through the remote IP, but the downside is that your container will need a static IP configured.
apache acces log keep only the acces to page /monit/ , no return value.
the only way seem to be to search in apache log for /monit/ and time, when monit.log show faild like this HttpRequest: access denied -- client [127.0.0.1]: unknown user 'qsdqsd'
but it’s risquy due to false positive if admin manage and brute force come away at same time…
as seen as stupid, requesting help to configure defaut lxd bridge at NAT…
readed the doc linked, adn tryed to apply, but it’s like a sorcery book for me,
and trying using it always show error, or invalid parameters…
i think it’s pretty simple for you…
lxc stop store
lxc config device override store eth0 ipv4.address=10.153.130.10 ipv6.address=fd42:dad8:c4ad:e744:216:3eff:fecf:5770
Error: Invalid devices: Device validation failed “eth0”: Cannot specify “ipv6.address” when DHCP or “ipv6.dhcp.stateful” are disabled on network “lxdbr0”
so , tryed to specify only ipv4,
lxc config device override store eth0 ipv4.address=10.153.130.10
Device eth0 overridden for store
lxc start store
// adding rule for port 2812 monit
lxc config device add store proxyv4 proxy nat=true listen=tcp:192.168.1.33:2812 connect=tcp:0.0.0.0:2812
Device proxyv4 added to store
lxc config device add store proxyv6 proxy nat=true listen=tcp:[2a01:cb18:8063:7f00:a00:27ff:fefb:2e50]:2812 connect=tcp:[::]:2812
Error: Failed to start device “proxyv6”: Proxy connect IP cannot be used with any of the instance NICs static IPs
errors come when trying to manage ipv6 or when trying to retry override config device…
If you don’t need to use IPv6 proxy, then don’t worry about adding the proxyv6 device or setting a static IPv6 address. Its optional. All your examples you’ve provided at up to this point haven’t mentioned IPv6.
In your post How to keep peer ip on lxd container you only setup an IPv4 proxy device, meaning your service would only be exposed on IPv4, therefore if you want to switch that to use NAT mode (or create another V4 only proxy device on a different port for monit) then you don’t need to also have an IPv6 proxy device. Its optional.
wow: ipv4 while run for a long time again…
i must manage this, so, when i fixe ipv6, error message returned,
is it normal.?
perhaps i should restart from the begining, to confirm.
But I would recommend you get IPv4 working the way you want first before trying to setup IPv6, otherwise it just makes things more complicated for you.
Suffice to say if you do actually want IPv6, then the error you mentioned with the override command is because you’ve already overriden the built in profile device once, so you cannot do it again.
Instead try:
lxc config device set store eth0 ipv4.address=10.153.130.114 ipv6.address=2a01:cb18:8063:7f00:a00:27ff:fefb:2e50