From 5952443cc63dfffeb7a26a6330c8213e1bdc556c Mon Sep 17 00:00:00 2001 From: Jack Levy Date: Sun, 15 Mar 2026 17:42:13 -0400 Subject: [PATCH] feat: Nginx real IP extraction and access logging Trust NPM proxy subnets, extract real client IP from X-Forwarded-For, log with referrer and user agent. Authored by: Jack Levy --- nginx/nginx.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 0833a1b..2180f89 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -8,6 +8,20 @@ http { sendfile on; keepalive_timeout 65; + # Trust NPM as a proxy — replace $remote_addr with the real client IP + # from X-Forwarded-For when the request comes from NPM's subnet + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + + # Log format includes real IP, referrer, and user agent + log_format main '$remote_addr - [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent"'; + access_log /var/log/nginx/access.log main; + # Use Docker's internal DNS; valid=10s forces re-resolution after container restarts. # Variables in proxy_pass activate this resolver (upstream blocks do not). resolver 127.0.0.11 valid=10s ipv6=off;