I am using Sentry On-Premise with a container running Traefik in front of it to handle SSL termination and LetsEncrypt renewal.
Here is how I have modified the
docker-compose.yml to do this:
nginx: << : *restart_policy # Don't expose port since we are using Traefik #ports: # - '9000:80/tcp' image: 'nginx:1.16' volumes: - type: bind read_only: true source: ./nginx target: /etc/nginx depends_on: - web - relay labels: - traefik.enable=true - traefik.http.routers.sentry.entrypoints=https - traefik.http.routers.sentry.rule=Host(`sentry.example.com`) - traefik.http.routers.sentry.tls=true - traefik.http.routers.sentry.tls.certresolver=letsencrypt - traefik.http.services.sentry.loadbalancer.server.port=80
This means that the logs (viewed with
docker-compose logs nginx) show the private IP of the Traefik container instead of the IP of the incoming request.
Since Traefik provides the
X-Forwarded-For header, I tried to modify the Nginx configuration (in
./nginx/nginx.conf) as follows:
log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # ... proxy_set_header X-Real-IP $http_x_real_ip; proxy_set_header X-Forwarded-For $http_x_forwarded_for;
After making these changes, I ran
docker-compose up -d.
The problem is that these changes don’t seem to have applied. When I view the logs, I still see the Traefik container’s address instead of the public IP, and when I make other changes to the
log_format line to test, it doesn’t seem like they are taking effect.
Additionally, if I go into the container using
docker-compose exec nginx bash, I can see that my changes are there (using
So why aren’t my changes being applied?