LXD monit in container client ip remain

tried to use before the rule
lxc config device add store storemonit2812 proxy listen=tcp: connect=tcp: proxy_protocol=true

but monit respond

\# Bad Request
Cannot parse request


That means it probably doesnt support the proxy protocol. Maybe it can use the X-Forwarded-For header from Apache, or see my comment about parsing the apache logs instead.

Finally, the other option is to use the nat=true mode on the LXD proxy device which will always pass through the remote IP, but the downside is that your container will need a static IP configured.

apache acces log keep only the acces to page /monit/ , no return value.
the only way seem to be to search in apache log for /monit/ and time, when monit.log show faild like this
HttpRequest: access denied -- client []: unknown user 'qsdqsd'

but it’s risquy due to false positive if admin manage and brute force come away at same time…

it’s just a matter of second…

The apache logs do store the HTTP response code of each request too, if that is non-200 then it may be useful to detect bad logins.

does a container configured with a bridge can use a nat.?

Yes, take a look at the guide in our tutorials section Using proxy device to forward network connections from host to container in NAT mode

i will do it. thanks!

as seen as stupid, requesting help to configure defaut lxd bridge at NAT…
readed the doc linked, adn tryed to apply, but it’s like a sorcery book for me,

and trying using it always show error, or invalid parameters…
i think it’s pretty simple for you…

What errors are you seeing for which commands?

assuming host have:
fixed ipv4=
fixed ipv6=2a01:cb18:8063:7f00:a00:27ff:fefb:2e50
lxd 4.0.3

lxd init with all defaut values,

lxc launch ubuntu:20.04 store
lxc list | grep store

| store | RUNNING | (eth0) | fd42:a8b5:c116:e2cc:216:3eff:fea2:7902 (eth0) | CONTAINER | 0

lxc stop store
lxc config device override store eth0 ipv4.address= ipv6.address=fd42:dad8:c4ad:e744:216:3eff:fecf:5770

Error: Invalid devices: Device validation failed “eth0”: Cannot specify “ipv6.address” when DHCP or “ipv6.dhcp.stateful” are disabled on network “lxdbr0”

so , tryed to specify only ipv4,

lxc config device override store eth0 ipv4.address=

Device eth0 overridden for store

lxc start store

// adding rule for port 2812 monit

lxc config device add store proxyv4 proxy nat=true listen=tcp: connect=tcp:

Device proxyv4 added to store

lxc config device add store proxyv6 proxy nat=true listen=tcp:[2a01:cb18:8063:7f00:a00:27ff:fefb:2e50]:2812 connect=tcp:[::]:2812

Error: Failed to start device “proxyv6”: Proxy connect IP cannot be used with any of the instance NICs static IPs

errors come when trying to manage ipv6 or when trying to retry override config device…

to resolve ipv6 dynamic tostatic, if y try

lxc network set lxdbr0 ipv6.dhcp.stateful true
lxc stop store
lxc config device override store eth0 ipv4.address= ipv6.address=2a01:cb18:8063:7f00:a00:27ff:fefb:2e50

Error: The device already exists

returned error for ipv6, but starting container seem use static ipv6…

If you don’t need to use IPv6 proxy, then don’t worry about adding the proxyv6 device or setting a static IPv6 address. Its optional. All your examples you’ve provided at up to this point haven’t mentioned IPv6.

but in production,with host on barre metal server, ipv6 will be used, no?

error returned are false error when setting ipv6.?

In your post How to keep peer ip on lxd container you only setup an IPv4 proxy device, meaning your service would only be exposed on IPv4, therefore if you want to switch that to use NAT mode (or create another V4 only proxy device on a different port for monit) then you don’t need to also have an IPv6 proxy device. Its optional.

wow: ipv4 while run for a long time again…
i must manage this, so, when i fixe ipv6, error message returned,
is it normal.?
perhaps i should restart from the begining, to confirm.

I dont fully understand you to be honest.

But I would recommend you get IPv4 working the way you want first before trying to setup IPv6, otherwise it just makes things more complicated for you.

Suffice to say if you do actually want IPv6, then the error you mentioned with the override command is because you’ve already overriden the built in profile device once, so you cannot do it again.

Instead try:

lxc config device set store eth0 ipv4.address= ipv6.address=2a01:cb18:8063:7f00:a00:27ff:fefb:2e50

wow. important point. we can modify device just once.?
what ifis a mistake and must be modifyed again??

I’m afraid you misunderstand:

  • override = copy the contents of a device in the profile into the instance’s own config (at the same time modifying certain keys on the copy if specified). Cannot be run if an instance device exists already. I.e it can only be run once.
  • set = modify a device on an instance, can be run multiple times.

not english native…