feat: Nginx real IP extraction and access logging

Trust NPM proxy subnets, extract real client IP from X-Forwarded-For,
log with referrer and user agent.

Authored by: Jack Levy

nginx/nginx.conf

@@ -8,6 +8,20 @@ http {
     sendfile      on;
     keepalive_timeout 65;
 
+    # Trust NPM as a proxy — replace $remote_addr with the real client IP
+    # from X-Forwarded-For when the request comes from NPM's subnet
+    real_ip_header    X-Forwarded-For;
+    real_ip_recursive on;
+    set_real_ip_from  192.168.0.0/16;
+    set_real_ip_from  10.0.0.0/8;
+    set_real_ip_from  172.16.0.0/12;
+
+    # Log format includes real IP, referrer, and user agent
+    log_format main '$remote_addr - [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+    access_log /var/log/nginx/access.log main;
+
     # Use Docker's internal DNS; valid=10s forces re-resolution after container restarts.
     # Variables in proxy_pass activate this resolver (upstream blocks do not).
     resolver 127.0.0.11 valid=10s ipv6=off;