I am using the Chevereto Docker image and run it behind a Traefik reverse proxy. Traefik is properly sending the user's real IP address along to the Chevereto container. However, in the mariadb table chv_requests
, only internal Docker subnet IP addresses are logged.
This leads to problems regarding flood protection and IP bans. If such things occur, the IP address of the reverse proxy is banned and the whole Chevereto site is down.
I assume that the internal web server of the Chevereto container (Apache?) is missing the relevant mod_remoteip
settings. Therefore, it does not trust the reverse proxy and will not take the defined real IP address of a website user in X-Forwarded-For
.
version: "3.7"
services:
chevereto:
image: ghcr.io/chevereto/chevereto:latest
container_name: chevereto
init: true
restart: unless-stopped
volumes:
- chevereto:/var/www/html/images
expose:
- 80
environment:
CHEVERETO_DB_HOST: mariadb
CHEVERETO_DB_USER: chevereto
CHEVERETO_DB_PASS: chevereto
CHEVERETO_DB_PORT: 3306
CHEVERETO_DB_NAME: chevereto
CHEVERETO_ASSET_STORAGE_TYPE: local
CHEVERETO_ASSET_STORAGE_URL: /images/_assets
CHEVERETO_ASSET_STORAGE_BUCKET: /var/www/html/images/_assets
networks:
- proxy
labels:
- traefik.enable=true
- traefik.http.routers.chevereto.rule=Host(`chevereto.example.com`)
- traefik.http.services.chevereto.loadbalancer.server.port=80
- traefik.docker.network=proxy
mariadb:
image: mariadb
container_name: chevereto_mariadb
restart: always
init: true
environment:
MYSQL_DATABASE: chevereto
MYSQL_USER: chevereto
MYSQL_PASSWORD: chevereto
MARIADB_ROOT_PASSWORD: chevereto
volumes:
- chevereto_mariadb:/var/lib/mysql
networks:
- proxy
volumes:
chevereto: {}
chevereto_mariadb: {}
networks:
proxy:
external: true