Reverse proxy with changing internal IP addresses in Docker

Configuration
1

Hi!

I have HA and a reverse proxy (tsdproxy in my case, but this should not matter) both installed at the same host with Docker. Proxy requests to HA seem to have their origin from the Docker internal IP address. Therefore, I use this address as trusted IP:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2

This does work. But after a reboot of the host, Docker does change IP addresses, that’s why it fails after a reboot. In my opinion, there are three possible solutions for this problem:

  1. Add the proxy to the Docker host network (I do not want this).
  2. Add all private networks to trusted proxies (ugly and security concerns).
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
  1. Use the name of the Docker network (preferred way).
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - tsdproxy

Unfortunately, the latter version does not work. So my question is, what is the best way to solve this problem? I am happy about your opinion! :slight_smile:

Have a nice day,

Tom

2
  1. Create a dedicated docker network: docker network create --subnet=172.199.0.0/16 proxy_net
  2. Launch the proxy container with a static ip: docker run --net proxy_net --ip 172.199.0.100 tsdproxy
  3. Add 172.199.0.100 to the trusted proxies of HA

The equivalent docker commands exist in docker-compose, ofc.

1 Like
3

Ah. Sure! I understand. I can confirm, that manually assigning IP addresses does work. For the records:

docker-compose.yaml of TSDProxy:

services:
  tsdproxy:
    image: almeidapaulopt/tsdproxy:latest
    container_name: tsdproxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /volume1/docker/tsdproxy/data:/data
      - /volume1/docker/tsdproxy/config:/config
    restart: unless-stopped
    ports:
      - "8888:8080"
    networks:
      tsdproxy:
        ipv4_address: 10.10.10.10
    labels:
      - tsdproxy.enable=true
      - tsdproxy.ephemeral=false

networks:
  tsdproxy:
    name: tsdproxy
    driver: bridge
    ipam:
      config:
        - subnet: 10.10.10.0/24

configuartion.yaml of HA:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.10.10.10

Thx a lot! :slight_smile: