From 4ca8bcc165296f805f6dc8ed5d445c7828199951 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Wed, 19 Feb 2025 22:51:54 +0100
Subject: [PATCH] Fix real IP in proxy config

---
 roles/docker/defaults/main.yml                      |  3 +++
 roles/docker/tasks/services.yml                     |  4 ++++
 .../docker/templates/fedi_dk_nodebb/config.json.j2  |  3 +--
 .../templates/fedi_dk_nodebb/nginx/http.conf.j2     | 13 +++++++++----
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 9d0a7c2..7795f37 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -3,6 +3,9 @@
 volume_root_folder: "/docker-volumes"
 volume_website_folder: "{{ volume_root_folder }}/websites"
 
+external_services_network_ipv4_subnet: '172.28.0.0/16'
+external_services_network_ipv6_subnet: 'fd02::/64'
+
 services:
   ### Internal services ###
   postfix:
diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml
index 2c7276f..515471f 100644
--- a/roles/docker/tasks/services.yml
+++ b/roles/docker/tasks/services.yml
@@ -3,6 +3,10 @@
 - name: Set up external services network
   docker_network:
     name: external_services
+    enable_ipv6: true
+    ipam_config:
+      - subnet: "{{ external_services_network_ipv4_subnet }}"
+      - subnet: "{{ external_services_network_ipv6_subnet }}"
 
 - name: Deploy all services
   include_tasks:
diff --git a/roles/docker/templates/fedi_dk_nodebb/config.json.j2 b/roles/docker/templates/fedi_dk_nodebb/config.json.j2
index e7e833f..f49119f 100644
--- a/roles/docker/templates/fedi_dk_nodebb/config.json.j2
+++ b/roles/docker/templates/fedi_dk_nodebb/config.json.j2
@@ -4,8 +4,7 @@
     "database": "mongo",
     "port": [{% for port in range(services.fedi_dk_nodebb.nodebb_port_begin,
                                   services.fedi_dk_nodebb.nodebb_port_begin + services.fedi_dk_nodebb.nodebb_processes)
-    %}{{ port }}{% if not loop.last %}, {% endif %}{% endfor %}]
-    ["4567", "4568", "4569", "4570"],
+    %}"{{ port }}"{% if not loop.last %}, {% endif %}{% endfor %}],
     "mongo": {
         "host": "mongodb",
         "port": "27017",
diff --git a/roles/docker/templates/fedi_dk_nodebb/nginx/http.conf.j2 b/roles/docker/templates/fedi_dk_nodebb/nginx/http.conf.j2
index c927e6f..c7d1cdd 100644
--- a/roles/docker/templates/fedi_dk_nodebb/nginx/http.conf.j2
+++ b/roles/docker/templates/fedi_dk_nodebb/nginx/http.conf.j2
@@ -1,16 +1,21 @@
 resolver 127.0.0.11 valid=30s ipv6=off;
 
+set_real_ip_from  {{ external_services_network_ipv4_subnet }};
+set_real_ip_from  {{ external_services_network_ipv6_subnet }};
+real_ip_header    X-Forwarded-For;
+real_ip_recursive on;
+
 map $http_upgrade $connection_upgrade {
     default upgrade;
     ''      close;
 }
 
 upstream workers {
-    hash $http_x_real_ip;
-    {% for port in range(services.fedi_dk_nodebb.nodebb_port_begin,
-                         services.fedi_dk_nodebb.nodebb_port_begin + services.fedi_dk_nodebb.nodebb_processes) %}
+    ip_hash;
+{% for port in range(services.fedi_dk_nodebb.nodebb_port_begin,
+                     services.fedi_dk_nodebb.nodebb_port_begin + services.fedi_dk_nodebb.nodebb_processes) %}
     server app.nodebb:{{ port }};
-    {% endfor %}
+{% endfor %}
 }
 
 server {