• 2 Posts
  • 71 Comments
Joined 2 years ago
cake
Cake day: June 13th, 2023

help-circle
  • I went down this very same twisty road a while back with rootless Podman. I tried several of the solutions you mentioned. None of them worked. The actual working solution I finally settled on was using Proxy Protocol to pass the original client IP from the host into a container. In my particular case, I’m running a very basic HAProxy config on the host that’s talking Proxy Protocol to Traefik running in a container. And it works great; actual client IPs show up in the logs as expected.

    In your particular case, you could probably run HAProxy on the host and have that talk Proxy Protocol to Caddy running in a container.







  • witten@lemmy.worldtoTechnology@lemmy.worldBluesky hits 20 million users
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    edit-2
    1 month ago

    Look, I appreciate you pushing on the UX aspects of the fediverse here. But let me ask yout something. What’s your email address? Is it Lost_My_Mind? No? Oh, because it’s got an @whatever.com on the end? Why is that? Why don’t we have one global, centralized namespace for email usernames such that there’s only a single Lost_My_Mind in the whole world?




  • People are also expected to understand the concept of manually picking a brand of toothpaste. My point is that if we can’t even expect a little consumer choice (the same consumer choice we have in the real world), then we deserve all the monopolization and centralization we get.

    Also, selecting a Mastodon server isn’t like some scary technical choice. It’s like a vibe check and a signup form.







  • I struggled with this same problem for a long time before finding a solution. I really didn’t want to give up and run my reverse proxy (Traefik in my case) on the host, because then I’d lose out on all the automatic container discovery and routing. But I really needed true client IPs to get passed through for downstream service consumption.

    So what I ended up doing was installing only HAProxy on the host, configuring it to proxy all traffic to my containerized reverse proxy via Proxy Protocol (which includes original client IPs!) instead of HTTPS. Then I configured my reverse proxy to expect (and trust) Proxy Protocol traffic from the host. This allows the reverse proxy to receive original client IPs while still terminating HTTPS. And then it can pass everything to downstream containerized services as needed.

    I tried several of the other options mentioned in this thread and never got them working. Proxy Protocol was the only thing that ever did. The main downside is there is another moving part (HAProxy) added to the mix, and it does need to be on the host. But in my case, that’s a small price to pay for working client IPs.

    More at: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address