Gitlab Logs always show same remote_ip (reverse proxy)

How to Use GitLab
1

Describe your question in as much detail as possible:
I am having problems logging the real-ip address of users. I always see the reverse proxy IP.

  • What are you seeing, and how does it differ from what you expect to see?
    I have modified the gitlab.rb to include:
    nginx[‘real_ip_trusted_addresses’] = [‘172.31.0.0/20’, ‘172.31.16.0/20’,…]
    nginx[‘real_ip_header’] = ‘X-Forwarded-For’
    nginx[‘real_ip_recursive’] = ‘on’
    After reconfigure, I still see the same remote-ip.

I have been following information at this URL:

But no success.

  • What version are you on (Hint: /help) ? and are you using self-managed or gitlab.com?
    Using Gitlab 14.3.2, community edition, self-managed.
    Thanks for any suggestions for help get me back on track.

Jim

2

Just a guess, but does the reverse proxy your gitlab is behind actually sends X-Forwarded-For header?

What kind of reverse proxy or loadbalancer is the GitLab behind? Layer 4 or Layer 7?

3

Thanks Balonik,
I am using nginx with the standard proxy pass syntax. I suspect layer 7, but I could be wrong.
Still haven’t solved it and looking for additional options to consider.
Jim

4

Is the entire subnet allocated to your nginx proxy? If not, normally you would only put the IP addresses on this list for the servers that are acting as the proxy.

5

Thanks. Those are the subnets. Just to confirm, are you saying don’t use the ranges and just the actual IP of the reverse proxy?

6

Yes exactly, otherwise it’s going to filter out the entire subnet. If the machines connecting are in that subnet, then they won’t show up.

Effectively when listing the proxy IP, it’s telling gitlab to ignore that and use the other IP details.

7

That makes sense, but the real-ip I seek is not within the subnet range. This is the client’s IP from which the logged into the gitlab server. The subnet range I provided are the Cloud service provider VPC range. If I logged in, I would like to see my home IP address in the log and not the Cloud IP address.

8

Maybe it would help if you can describe the traffic flow so we can see where the real IP could get lost.

Something like Client → Akamai/Cloudflare → LB → Reverse Proxy → GitLab Server.

9

Hi, i am having the same issue, by any chance do you have the solution ?

10

AhtashamFiaz,
My solution was remove the AWS Network Load Balancer. (Didn’t really need it anyway). Then, used LetsEncrypt for the Certificate provider. Now, all IPs are logged.
There are other solutions with different types and combinations of Load balancers, but this was the simplest approach for me.
Jim