How do I get the real IP address of the connected node in my Radix logs when using an nginx reverse proxy?

Stuart · 15 January 2022 11:17

If you have an Nginx reverse proxy in front of your Radix node then the Radix log file will show connections from 127.0.0.1 instead of the real IP address of the node you are connected to.

For example:

Auth handshake failed on {-> ?@127.0.0.1:57872 | AUTH_HANDSHAKE}: Handshake decryption failed (Invalid MAC)

After enabling the Proxy Protocol you will see the real ip logged:

Auth handshake failed on {-> ?@164.132.201.13:51752 | AUTH_HANDSHAKE}: Handshake decryption failed (Invalid MAC)

1. Enable the Proxy Protocol in your Radix configuration

Add the following line to the default.config files:

network.p2p.use_proxy_protocol=true

2. Enable the Proxy Protocol in your Nginx configuration

Edit the nginx.conf file (usually found in /etc/nginx) and change the server block near the top of the file from:

  server {
    listen 30000;
    proxy_pass 127.0.0.1:30001;
  }

to

  server {
    listen 30000 proxy_protocol;
    proxy_protocol on;
    proxy_pass 127.0.0.1:30001;
  }

Note: You may have different ports numbers/ip address in your configuration. Don’t change these details - just append the proxy_protocol directive to the listen line and add the new proxy_protocol on; line.

After making these changes, ensure your nginx configuration file is valid by running:

sudo nginx -t

# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful

3. Apply the Changes

You need to apply the changes at about the same time otherwise Radix will throw lots of exceptions.

sudo systemctl reload nginx
sudo systemctl restart radixdlt-node

radixlogicalmoon · 24 July 2022 11:36

Not sure if this has just changed since the original post, but I only had to edit the file as below

Run this command to edit the file if running System D

# In the latest version of NGINX it in this file (which is included into nginx.conf)
sudo nano /etc/nginx/conf.d/coretcpserver.conf

# In older versions it was here
sudo nano /etc/nginx/nginx.conf

Edit the file

 server {
        listen 30000;
        proxy_protocol on;
        proxy_pass 127.0.0.1:30001;

    }

And to apply the changes I ran

sudo systemctl restart nginx

And to check all was working as expected I ran the Get Peers API and check to see records in the response had an “IN” value

Stuart · 25 July 2022 08:04

Thanks for the feedback. It’s been a while since I looked at this.

Did you also have to set the network.p2p.use_proxy_protocol=true in the default.config?

radixlogicalmoon · 25 July 2022 22:37

Yes I had to change that and also ensure the listen port and api port are set correctly

network.p2p.use_proxy_protocol=true
network.p2p.listen_port=30001
api.port=3334

RoterHund · 5 November 2023 14:24

On this ‘listen 30000’ setting, should it be version A or B below?

A.
server {
listen 30000 proxy_protocol;
proxy_protocol on;
proxy_pass 127.0.0.1:30001;
}

or B.
server {
listen 30000;
proxy_protocol on;
proxy_pass 127.0.0.1:30001;
}

or does it matter?
Reason I ask is I suspect when I use A) the Stakesafe dashboard reports ‘Not Accepting Connections’.