Passing Real IP in WordPress behind Proxy or in Docker

If you have followed the tutorial on How to run WordPress Blog behind Nginx Secure (https) Proxy, you might be under a situation that WordPress is showing all ips as proxy ips. In case of Docker it must be like 172.X.X.X otherwise, it is the ip of your server. 

If this is a problem?

You might be wondering if this is worth solving? Well Yes!, Most of the real comments were categorized as spam. 

Adding Real-IP to WordPress

Step 1 – Editing WordPress config

In wp-config.php file add following lines just above /* That’s all, stop editing! Happy blogging. */

// Use X-Forwarded-For HTTP Header to Get Visitor's Real IP Address
if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
  $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );
  $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
}
/* That's all, stop editing! Happy blogging. */

Step 2 – Editing Nginx

Inside your proxy settings in nginx, simply add this:

proxy_set_header        X-Real-IP       $remote_addr;

In case of WordPress Behind Docker

In case if you are using Docker, you will need to copy wp-config.php from container and later copy to container. This can be done as following.

#Copy from docker container
docker cp project_wordpress_1:/var/www/html/wp-config.php .

#Copy to docker container
docker cp wp-config.php project_wordpress_1:/var/www/html/wp-config.php

Easy-peasy right?

Launch your VPN using Docker under a minute

You might be wondering that having your own VPN is very hard to configure, we thought that too. You will be surprised to know that as long as you have af_key module.

 

af_key Module

You can check it by issuing following command

sudo modprobe af_key

If you see this kind of error, that means it isn’t present and you have to change your configuration:

modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.17.8-x86_64-linode110/modules.dep.bin'
modprobe: FATAL: Module af_key not found in directory /lib/modules/4.17.8-x86_64-linode110

You can try adding following to /etc/modules like and remote your server but it will not work if your kernel doesn’t support it.

af_key

Run a 5$/month Linode for your own VPN

If you have Linode, you can choose GRUB2 kernel to enable af_key as shown below.

docker-compose.yml for VPN

Following is the content of your docker-compose.yml


version: '3.2'
services:
  vpn:
    image: hwdsl2/ipsec-vpn-server
    restart: always
    hostname: localvpn
    privileged: true
    volumes:
        - "/etc/passwd:/etc/passwd:ro"
        - "/etc/group:/etc/group:ro"
        - "/lib/modules:/lib/modules:ro"
    ports:
        - "500:500/udp"
        - "4500:4500/udp"
    environment:
        - VPN_IPSEC_PSK=secret_code
        - VPN_USER=login_with_this_user
        - VPN_PASSWORD=login_with_this_password

Run VPN

docker-compose up -d

Now use above credentials to connect to your VPN and it should run without any issues.

 

How to use docker to generate wildcard SSL certificates for your website?

Google Chrome has started giving a warning for a non-SSL website and hence it has become more important than ever to generate SSL certificate for your website today!

When it comes to “docker” idea is simple, you mount a volume to share certificates with other containers. There are many docker images which have ‘in-built’ SSL generator. However, if you want it to be scalable, then this is a pretty bad way to do it. You would want to keep a track of all subdomains and their certificates along with where they have been generated. Load-balancers need not to be pointing to the “right” container during validation. So problems are many.

Docker image

I am using adferrand/letsencrypt-dns for this and it comes with ‘auto-restarting’ a docker container if a matching certificate has been renewed. It supports for 50+ dns managers and I am sure yours is covered 😉 . I am a fan of Linode, if you are serious about your business growth, give them a shot.
Docker Compose content:

cat docker-compose.yml

version: '3.2'
services:
  letsencrypt-dns:
    image: adferrand/letsencrypt-dns
    restart: always
    volumes:
        - "/etc/passwd:/etc/passwd:ro"
        - "/etc/group:/etc/group:ro"
        - "/var/run/docker.sock:/var/run/docker.sock"
        - "./letsencrypt:/etc/letsencrypt"
    environment:
        - CERTS_USER_OWNER=
        - CERTS_GROUP_OWNER=
        - CERTS_DIRS_MODE=0755
        - CERTS_FILES_MODE=0644
        - LETSENCRYPT_USER_MAIL=@.com
        - LEXICON_SLEEP_TIME=1500
        - LEXICON_PROVIDER=linode
        - LEXICON_LINODE_TOKEN=

Explaining the docker-compose.yml

We are mounting passwd and group as read-only to enable host user and group respectively.

Adding docker.sock ensures that it can restart related docker containers OR execute a command inside the targetted container. If you don’t mount it, containers will have old certificates even after certificates have been renewed and thus, it is very important that you mount it.

Since, dns server is using Linode’s DNS manager, we are adding LEXICON for linode and token. Sleep timing is 1500 seconds that means 25 mins, making each domain to be validated after 25 mins of adding the verification code in dns. If you are in USA, it will probably work with much lesser like 500 seconds.

Example content of domains.conf


cat letsencrypt/domains.conf

webapplicationconsultant.com *.webapplicationconsultant.com autorestart-containers=nginx_nginx_1,nginx_nginx_2
varunbatra.com *.varunbatra.com autocmd-containers=varunbatra_static_1:service nginx reload
  1. webapplicationconsultant.com *.webapplicationconsultant.com autorestart-containers=nginx_nginx_1,nginx_nginx_2 will restart containers by the name nginx_nginx_1 and nginx_nginx_2 once certificates of webapplicationconsultant.com has been renewed
  2. varunbatra.com *.varunbatra.com autocmd-containers=varunbatra_static_1:service nginx reload will execute the command service nginx reload once certificates of varunbatra.com have been renewed.

Generated SSL locations

  1. ./letsencrypt/live/varunbatra.com/fullchain.pem
  2. ./letsencrypt/live/webapplicationconsultant.com/fullchain.pem

Now you can use these certificates in NGINX or APACHE or ‘Whatever’ 🙂 Just make sure whatever you do, you don’t forget to add a proper autorestart and autocmd lines for their respective containers.