How to get the real IP address in the clients

[Waldorf3]

So my setup is as follows.

I have a Proxmox server with a number of virtual machines.

All virtual macines are interconnected with private IP addresses (like 10.10.10.x, with x essentially being the VMID)

One virtual machine additionally has a public ip address. It runs nginx-proxy-manager in docker, and receives the traffic on the public IP address, and forwards the traffice to the other virtual machines through the private IP addresses.

This works perfectly except the virtual machines all see the traffic (the IP) as coming from the nginx-proxy-manager.

I've spent hours now trying to get the real client IP address to appear in the access log files on the proxy clients, but nothing works.

So I tried leaving the customer nginx configuration (in the gui) empty, and I have tried adding the lines

set_real_ip_from  IP;
real_ip_header X-Forwarded-For;

With IP being both the public IP address and the private IP address. I tried other combinations I found here and elsewhere, but the bottom line is, nothing ever changes.

On the clients I also tried adding

                RemoteIPHeader X-Forwarded-For
                RemoteIPInternalProxy IP

Again with IP being both the private and the public IP on the nginx-proxy-server, but nothing changes anything.

Surely there must be one correct way to set this up? Is this documented somewhere? I haven't been able to find any, other than man discussions here, and that isn't always clear and usually different situations.

[gillescoolen]

Did you make any progress on the issue? Currently having the same problem, and the fix in this issue does nothing for me.

[pachylover]

In my case, the issue was caused by trying to get X-Forwarded-For when it was not HTTPS.

[BuzzMoody]

Anyone got a fix for this?

[Crash1602]

My question is relevant to the topic, so I'm posting it here.

How can I forward the source IP for a TCP stream? Currently only the Docker Host IP is displayed on the upstream server, so i can´t use Autoblock-IP by failed logins.

Thank you very much.

[baskinsy]

I am looking for this also and can't find something.

[begunfx]

Synology workaround fix for this!

I found a solution for this if you are trying to run NPM (Docker) on a Synology. It seems that there are some pre-routing rules that need to be added to the Synology host for the IP addresses to report the client and not Docker.

I found this post with the solution:

https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

The short of it is you need to apply the following iptable rules on Synology (cli):
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER

Only catch is that these changes will not sustain post reboot.

In order for that to happen you need to create a boot-up task in the task scheduler and add the script he created so that the rule changes are applied every startup.

I tested the rule changes and it seems I can now properly use the Access List and restrict access to local (LAN) only.
script and instructions here:

https://gist.github.com/pedrolamas/db809a2b9112166da4a2dbf8e3a72ae9

[ghost]

What is the effect of this rule on the firewall?

[rardcode]

Hi @Waldorf3!

This works perfectly except the virtual machines all see the traffic (the IP) as coming from the nginx-proxy-manager.

I had the same problem.
After many researches and tests, this solution works for me:
Adding:
proxy_set_header X-Real-IP $remote_addr;
in Nginx Proxy Manager / Edit Proxy Host / Advanced / Custom Nginx Configuration.

I hope it can be useful. 👍

[rardcode]

Hi @filmo
in npm config i have:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

I use NPM before Nextcloud server. In Nextcloud config.php i have added:

  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),

I hope this can help you!

[segobytes]

Hi @filmo , I have the same issue: I only get the gateway IP address while using Synology’s nginx. I’m wondering if I should set NPM in a docker instead. Did you find a solution ?

[walterzilla]

Hi @filmo , I have the same issue: I only get the gateway IP address while using Synology’s nginx. I’m wondering if I should set NPM in a docker instead. Did you find a solution ?

Did you try setting ­trusted_proxies in Nextcloud config.php also?

[segobytes]

I don't use nextcloud, I use a synology, but I did set the trusted proxies, and no change. Basically without any additional settings, all the clients connecting from outside show up with the nginx reverse proxy host internal ip (192.168.0.9) and if I fill the trusted proxies with;

• either just 192.168.0.9: the external clients show up as 192.168.0.1 (my gateway)
• or 192.168.0.9 and 192.168.0.1: the external clients show up as 192.168.0.1 (my gateway)
  At that stage I gave up trying to make my current config work (synology integrated reverse proxy feature), and I'd rather implement a solution known to work, hence my question about setting up NPM in a separate docker: would that work or would I end up in the samle situation ....

[walterzilla]

I don't use nextcloud

Sorry dude yesterday was seeking hard for a solution for Nextcloud and well I got distracted so to speak......

[Yusseiin]

Someone has been able to fix this?
Nothing in the "Custom Nginx Configuration" seems to working, always getting back the Docker IP

I am on Ubuntu Server

[alemstrom]

probably the most useless post here

[segobytes]

Yes, the problem was at my router settings level; I had forgotten that I had set up the following:
iptables -t nat -A POSTROUTING -j MASQUERADE
...and this is what was creating the issue: MASQUERADE rewrites the source IP of outgoing packets to the router’s own WAN IP.
and this is why my Synology reverse proxy only saw the router’s IP instead of the real client IP.
so I had to remove that rule with:
iptables -t nat -D POSTROUTING -j MASQUERADE # Remove existing rule
then I added the following rules

Allow LAN traffic without NAT (Keep original source IP)

iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.0/16 -j RETURN

Keep real client IPs for HTTPS traffic

iptables -t nat -A POSTROUTING -p tcp -d <synology_ip> --dport 443 -j RETURN

Masquerade everything else (for outbound internet traffic)

iptables -t nat -A POSTROUTING -j MASQUERADE
and now I it works as intended: the reverse proxy can see if it is a an external ip and so I can define different behaviours depensing on internal or external client.

[pietabrow]

Fixed it with this:
Open your Nginx Proxy Manager web portal
Go to Hosts > Proxy Hosts > Edit > Advanced > Custom Nginx Configuration
add the following:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
Click the Save button

Now login to your Nextcloud server commandline via SSH
Edit your Nextcloud config.php file, like this:
sudo nano /var/www/nextcloud/config/config.php
(maybe your path is slightly different)
add the following:
'trusted_proxies' => ['192.168.1.150'],
'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],
(make sure you change 192.168.1.150 to the correct IP address from your Nginx Proxy Manager)
Save and exit (ctrl+x, Y, enter)
Now the correct IP addresses should be presented to your Nextcloud server.

[DerGeraet69]

I found a solution for me with NPM and Nextcloud.
Setting it in the Web-Gui isn't supported!!

Reverse Proxy says "Nextcloud uses the de-facto standard header ‘X-Forwarded-For’ by default", so setting the 'forwarded_for_headers' isn't needed.

Under ...data/nginx/proxy_host NPM stores the configuration for the Hosts you configure in the webinterface and i noticed following in the ___location section in my "13.conf" for Nextcloud (for you it might be a different number).

___location / {

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include conf.d/include/proxy.conf;
  }

There is already a include for a folder conf.d and a proxy.conf, which isn't created yet!
I added "...data/nginx/proxy_host/conf.d/proxy.conf" with following content:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Since all standard conf for the proxy hosts are similar this should work for every other hosts, but i haven't confirmed yet.

Then i just had to add the trusted_proxies to the ".../www/nextcloud/config/config.php".
Maybe a restart of the Proxy is needed, but after that i got the real IP in the nextcloud.log for failed logins.

I wanted to add Fail2Ban to nextcloud but i noticed that it already as a own "Brute-Force" module, which limits attempts for an IP.

Setting the network_mode to host in the docker-compose.yaml wasn't needed for me.

[fvultee]

I've tried this exactly solution and restarted NPM, made the folder, made the proxy.conf file, etc, I can see it's called during NPM reboot in the logs, still nothing. There isn't a place in Bitwarden (where I'm currently trying to get the real IP) to specify trusted proxies, only trusted IPs, which I've done. Still grabs the Container IP.

…

On Tue, Jul 22, 2025 at 5:02 PM DerGeraet69 ***@***.***> wrote: I found a solution for me with NPM and Nextcloud. Reverse Proxy <https://docs.nextcloud.com/server/31/admin_manual/configuration_server/reverse_proxy_configuration.html> says "Nextcloud uses the de-facto standard header ‘X-Forwarded-For’ by default", so setting the 'forwarded_for_headers' isn't needed. Under ...data/nginx/proxy_host NPM stores the configuration for the Hosts you configure in the webinterface and i noticed following in the ___location section in my "13.conf" for Nextcloud (for you it might be a different number). ___location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } There is already a include for a folder conf.d and a proxy.conf, which isn't created yet! I added "...data/nginx/proxy_host/conf.d/proxy.conf" with following content: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Since all standard conf for the proxy hosts are similar this should work for every other hosts, but i haven't confirmed yet. Then i just had to add the trusted_proxies to the ".../www/nextcloud/config/config.php". Maybe a restart of the Proxy is needed, but after that i got the real IP in the nextcloud.log for failed logins. I wanted to add Fail2Ban to nextcloud but i noticed that it already as a own "Brute-Force" module, which limits attempts for an IP. Setting the network_mode to host in the docker-compose.yaml wasn't needed for me. — Reply to this email directly, view it on GitHub <#3215 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AF7DQAKZRXJPTSG53JQOBOL3J2RHXAVCNFSM6AAAAAA5G26J52VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGOBVGUYDOMA> . You are receiving this because you are subscribed to this thread.Message ID: <NginxProxyManager/nginx-proxy-manager/repo-discussions/3215/comments/13855070 @github.com>

[DerGeraet69]

I can only guess why it works for me., even long before i made the changes for Nextcloud. I'm using Vaultwarden and in the admin panel i noticed under advanced settings -> Client IP Header -> "X-Real-IP". Tried to verify this by removing the inlude from the proxy-host config and got a error "KDF config is required" which doesn't seem to be related. Maybe somone can explain. After changing back it worked again.

[fvultee]

It randomly started to work for me, so strange. I blew away my containers and started again. Now I get the real IP in Bitwarden from Nginix Proxy Manager and I can ban that IP via fail2ban. Now I'm trying to get fail2ban emails working, which hasn't been as easy as it should be! always somethin!

[fvultee]

Well, gave up on emails working, but I got block / unblock notifications to push to discord so that's great! All is finally working.