Hey Joe, let's walk through why you're not seeing the real client IP in your setup and how to fix it step by step. The core issue is that your Docker Nginx is only seeing the IP of your host Nginx (or Docker bridge gateway) instead of the actual client—we need to make sure the real IP gets passed through both layers correctly.

Step 1: Configure Host Nginx to Forward Real IPs #

Since your host Nginx is the first point of contact with clients, it already has the real client IP in $remote_addr. You need to explicitly pass this to your Docker Nginx via request headers. Update your host Nginx's proxy location block (the one pointing to your Docker Nginx container) with these lines:

location / {
    proxy_pass http://<your-docker-nginx-ip>:<port>; # Replace with your container's IP/port
    # Critical headers to pass real client info
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme; # For HTTPS to HTTP proxying
}

This ensures the Docker Nginx receives the real client IP in the X-Real-IP and X-Forwarded-For headers.

Step 2: Configure Docker Nginx to Trust Host Nginx and Use Real IPs #

Your Docker Nginx currently sees the host Nginx (or Docker bridge) as the "client," so you need to tell it to trust that source and pull the real IP from the headers we just set. Since you mentioned your host Nginx has http_realip_module, your Docker Nginx likely has it too (most standard images include it).

Add these lines to your Docker Nginx's http block or specific server block:

# Trust the host Nginx/Docker bridge IPs (adjust these to match your network)
set_real_ip_from 172.17.0.1; # Typical Docker bridge gateway IP
set_real_ip_from <your-ec2-internal-ip>; # Your EC2 instance's private IP
set_real_ip_from 127.0.0.1;

# Tell Nginx to use the X-Real-IP header for the real client IP
real_ip_header X-Real-IP;

# Optional: If you have multiple proxy layers, enable recursive lookup
# real_ip_recursive on;

Now your Docker Nginx will replace its $remote_addr variable with the real client IP from the header, instead of the host's IP.

Step 3: Update Django to Recognize Proxied Requests #

Finally, Django needs to know it's behind a trusted proxy to use the forwarded IPs. Update your settings.py:

# Trust the proxy headers
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

# For Django 4.2+, specify trusted proxy IPs
TRUSTED_PROXIES = [
    '172.17.0.1',
    '<your-ec2-internal-ip>',
    '10.0.0.0/8' # Add your VPC CIDR if needed
]

This ensures Django's request.META['REMOTE_ADDR'] returns the real client IP instead of the Docker Nginx's IP.

Troubleshooting Checks #

If you're still not seeing the real IP:

• Check your host Nginx logs (ensure $remote_addr shows real client IPs)
• Check Docker Nginx logs (update your log format to include $remote_addr and verify it's now the real client IP)
• Print request.META in Django to inspect X-Real-IP, X-Forwarded-For, and REMOTE_ADDR values

内容的提问来源于stack exchange，提问作者joe