I am using Sentry On-Premise with a container running Traefik in front of it to handle SSL termination and LetsEncrypt renewal.
Here is how I have modified the docker-compose.yml to do this:
nginx:
<< : *restart_policy
# Don't expose port since we are using Traefik
#ports:
# - '9000:80/tcp'
image: 'nginx:1.16'
volumes:
- type: bind
read_only: true
source: ./nginx
target: /etc/nginx
depends_on:
- web
- relay
labels:
- traefik.enable=true
- traefik.http.routers.sentry.entrypoints=https
- traefik.http.routers.sentry.rule=Host(`sentry.example.com`)
- traefik.http.routers.sentry.tls=true
- traefik.http.routers.sentry.tls.certresolver=letsencrypt
- traefik.http.services.sentry.loadbalancer.server.port=80
This means that the logs (viewed with docker-compose logs nginx) show the private IP of the Traefik container instead of the IP of the incoming request.
Since Traefik provides the X-Forwarded-For header, I tried to modify the Nginx configuration (in ./nginx/nginx.conf) as follows:
log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# ...
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
After making these changes, I ran ./install.sh and docker-compose up -d.
The problem is that these changes don’t seem to have applied. When I view the logs, I still see the Traefik container’s address instead of the public IP, and when I make other changes to the log_format line to test, it doesn’t seem like they are taking effect.
Additionally, if I go into the container using docker-compose exec nginx bash, I can see that my changes are there (using cat /etc/nginx/nginx.conf).
So why aren’t my changes being applied?