enable mod_remoteip and add config for X-Forwarded-For IP address

[haozhou]

It helps to retrieve real client IP forward by the load balancer (or reverse proxy like haproxy or nginx)
It's the recommended way to retrieve client ip from "X-Forwarded-For" header in apache 2.4

Closes #383

[haozhou]

Can anyone review the PR and raise your concern?

[gingerlime]

looks good to me

[haozhou]

@gingerlime Can you merge the PR?

Thanks

[gingerlime]

I'm not a member / have no merge rights here unfortunately.

[haozhou]

@tianon Can you please help with the merge of this PR?

Thanks

[pescobar]

I tried to manually apply this PR and it doesn't work for me when using jwilder-nginx-proxy in front of wordpress. I tried RemoteIPHeader X-Forwarded-For and RemoteIPHeader X-Real-IP but none worked

this is the Dockerfile I used to test:

FROM wordpress:5.2.2-php7.3-apache

RUN a2enmod rewrite expires remoteip

RUN { \
        echo 'RemoteIPHeader X-Forwarded-For' ; \
        echo 'RemoteIPTrustedProxy 10.0.0.0/8' ; \
        echo 'RemoteIPTrustedProxy 172.16.0.0/12' ; \
        echo 'RemoteIPTrustedProxy 192.168.0.0/16' ; \
    } > /etc/apache2/conf-available/remoteip.conf ; \
    a2enconf remoteip

I have built it doing docker build -t 'wp-custom-image' . and then I used this docker-compose file to boot it

version: '3'

services:

    nginx-proxy:
      image: jwilder/nginx-proxy:alpine
      container_name: nginx-proxy-devel
      ports:
        - "80:80"
        - "443:443"
      volumes:
        - conf:/etc/nginx/conf.d
        - vhost:/etc/nginx/vhost.d
        - html:/usr/share/nginx/html
        - /var/run/docker.sock:/tmp/docker.sock:ro
      restart: unless-stopped
      logging:
        driver: json-file
        options:
          max-size: '10m'
          max-file: '10'

    database:
      image: mariadb:10.4.6
      container_name: database-devel
      expose:
        - 3306
      environment:
        - MYSQL_DATABASE=exampledb
        - MYSQL_USER=exampleuser
        - MYSQL_PASSWORD=examplepass
        - MYSQL_ROOT_PASSWORD=example
      restart: unless-stopped
      logging:
        driver: json-file
        options:
          max-size: '10m'
          max-file: '10'

    wordpress:
      #image: wordpress:5.2.2-php7.3-apache
      image: wp-custom-image:latest
      container_name: wordpress-devel
      expose:
        - 8080
      environment:
        - VIRTUAL_HOST=localhost,192.168.10.7
      restart: unless-stopped
      logging:
        driver: json-file
        options:
          max-size: '10m'
          max-file: '10'

volumes:
  conf:
  vhost:
  html:

but when I access http://localhost the logs entries I see in the wordpress containers is not the client ip but the reverse proxy ip in the docker network.

I had to modify the apache vhos config as described here and this works #383 (comment)

[gingerlime]

@pescobar

I had to modify the apache vhos config as described here and this works #383 (comment)

Yes, unfortunately it doesn't work out of the box. I also modified the 000-default.conf and mounted it, but used a slightly simpler version than the one you linked to

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log

	LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" proxy
	CustomLog ${APACHE_LOG_DIR}/access.log proxy

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

and my docker-compose.yml file has an entry to mount this file

    volumes:
      - /etc/hosting-compose/000-default.conf:/etc/apache2/sites-enabled/000-default.conf