Log client's “real” IP address in Docker Swarm 1.12 when accessing a service

[eskp]

I have nginx container running as a service in Docker Swarm inside user created overlay network. Both created with:

docker network create --driver overlay proxy
docker service create --name proxy --network proxy -p 80:80 nginx

When accessing an nginx site through the browser, in nginx access log remote address is logged as 10.255... formatted address, what I presume to be the Swarm load balancer address. The question is how to know/log the address of the end client accessing the site and not the load balancer address.

[cpuguy83]

I've been wondering this as well.
Ping @mrjana

[zas]

Related to #25526

[eskp]

Thanks @zas. Now watching #25526

[struanb]

We've now released v3.1.0 of https://github.com/newsnowlabs/docker-ingress-routing-daemon, which modifies docker's ingress mesh routing to expose true client IPs to service containers:

• implemented purely through routing and firewall rules; and so
• without the need for running any additional application layers like traefik or other reverse proxies; and so
• there's no need to reconfigure your existing application.

As far as I know, the docker-ingress-routing-daemon is the most lightweight way to access client IPs from within containers launched by docker services.

Summary of features:

• Support for replacing docker's masquerading with routing on incoming traffic either for all published services, or only for specified services on specified TCP or UDP ports
• Support for recent kernels (such as employed in Google Cloud images) that set rp_filter=1 (strict) inside service containers
• Automatic installation of kernel tweaks that improve IPVS performance in production (though this can be disabled)

Please check it out and raise any issues you find.