I have a setup where the from the internet I have:
Internet → Router → Apache Reverse Proxy → Nginx Proxy → HA Core
And internally I use:
LAN → Nginx Proxy → HA Core
So I cannot use the PROXY protocol option because I also need to directly access the server and also because I don’t think Apache even supports it (and neither does Traefik I think which will replace it eventually).
To work around that I setup:
active: true
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf
And then in /share/nginx_proxy/realip.conf:
# Reverse Proxy IPs
set_real_ip_from <apache ipv4 1>;
set_real_ip_from <apache ipv4 2>;
set_real_ip_from <apache ipv6 1>;
set_real_ip_from <apache ipv6 2>;
# Header set from proxy
real_ip_header X-Client-Ip;
The config is definitely loaded (if I misconfigure anything it’ll fail to start) and I also tried with the default X-Forwarded-For (in fact that was my fist few tries, but then I tried to reproduce their Cloudflare config). But in the end while funnily enough IPv6 IPs sometimes seem to be passed though in general all the tokens still note the internal Proxy/Docker network routing IP:
And even Nginx’s internal error logs still note the wrong IP…
2025/07/09 00:05:19 [error] 128#128: *97 upstream timed out (110: Operation timed out) while reading upstream, client: 172.30.32.1, server: <redacted>, request: "GET /api/hassio/addons/core_nginx_proxy/logs/follow?lines=100 HTTP/2.0", upstream: "http://172.30.32.1:8123/api/hassio/addons/core_nginx_proxy/logs/follow?lines=100", host: "<redacted>", referrer: "https://<redacted>/hassio/addon/core_nginx_proxy/logs"
Am I missing anything?
Edit: Funnily enough when I add (and even remove the apache IPs):
set_real_ip_from 172.30.32.0/24;
to the config it seems to work, but that sounds like it results in everyone being able to set that header pretend to be any IP which would be really bad. It seems there’s something wrong with the docker(/whatever they use for OCI containers) proxy where it doesn’t properly translate the TCP IP for the container? It would be interesting to see then If their Cloudflare config has the same issue then, if someone here’s using that.