Everybody has the same IP address

Dave Jensen

I'm using HAProxy on a remote server to proxy traffic to NodeBB. I'm actually proxying using a subdir /forums and that part seems to work.

What isn't working is that everybody has the private IP address of the HAProxy server. What headers is NodeBB looking for to get the IP address?

Tom Rade

Hey, just add some settings in haproxy. Take a look here https://serverfault.com/questions/331079/haproxy-and-forwarding-client-ip-address-to-servers

Dave Jensen

Yeah, I already have option forwardfor enabled.

This all works for Wordpress, which is why I was wondering if a different header is expected.

Dave Jensen

I'm seeing this IP for all users, which is obviously a private IP:
0_1542104919434_361546f4-047c-4192-9825-5c112df25eeb-image.png

Also, despite having dozens of people online today, this is my forum traffic graph:
0_1542104997416_25d8201f-9bd3-47d7-a7b2-bf6098b0ed4b-image.png

If I don't get an answer, I'll eventually dig into the code. Other matters are more pressing wrt to my forums right now.

Dave Jensen

What's interesting is that the log file reports correct IP addresses for invalid email attempts.

Dave Jensen

There are two IPs that seem to get gathered in the code. One is req.ip from the Express middleware and the other is socket.ip from the websockets.

There's also this. Apparently if the port being used is 80 or 443 "trust proxy" is not enabled:
https://github.com/NodeBB/NodeBB/blob/64b9dabff87862a77a71fec2370b2a8d2ed4b6e4/src/webserver.js#L285

Otherwise it looks in config.json
So, I guess this isn't documented? It's kinda documented that you shouldn't use 80 and 443 but this side-effect maybe isn't documented?

Dave Jensen

Yup, that fixed it.

I added

  "trust_proxy": true,

to my config.json and everything is working as expected now. (I think)

julian

Yeah, the idea is you should be using a reverse proxy to handle traffic and NodeBB should be listening on port 4567... if it's 4567 but port is not in url, then trust_proxy is automatically enabled.

Dave Jensen

@julian said in Everybody has the same IP address:

Yeah, the idea is you should be using a reverse proxy

Yes.

to handle traffic and NodeBB should be listening on port 4567...

Yes

if it's 4567 but port is not in url, then trust_proxy is automatically enabled.

Not sure if I follow this. But the logic in the code is that if it's any port aside from 80 and 443 then "trust proxy" is enabled. Or if "trust_proxy" is set to true in the config, then "trust proxy" is enabled.