I’m installing an invoice ninja on ubuntu for personal use.
Everything went well, but I’m running it behind two nginx proxies, one which handles SSL and all of my other subdomains and the second on the invoice ninja install itself.
Issue is that all of the IPs which show up on the logs are private IPs of my public nginx server.
I’ve added it to TRUSTED_PROXIES env viable and made sure to pass the client’s IP via x-forwarded headers, but that didn’t make a difference.
Searching the gibhub, I see that this environmental variable is used within /app/Http/Middleware/StartupCheck.php, but the file I’ve gotten from the latest release v5.3.55 looks completely different, lacking any TRUSTED_PROXES support.
Am I looking at the wrong github? Are self hosted releases built from a different branch?
Most importantly, was anyone successful in getting TRUSTED_PROXIES to work, I’ve tried exact ip, subdomain and wildcard. None seem to work.
I’ve ended up making a change on internal nginx level, here is my config (be sure to forward real IP on the external nginx proxy via X_Forwarded_For header, and/or change the internal config to use the right header for your config.
server {
# NOTE That the 'default_server' option is only necessary if this is your primary domain application.
# If you run multiple subdomains from the same host already, remove the 'default_server' option.
listen 80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
client_max_body_size 20M;
# Here, enter the path to your invoiceninja directory, in the public dir. VERY IMPORTANT
# DO NOT point the root directly at your invoiceninja directory, it MUST point at the public folder
# This is for security reasons.
root /usr/share/nginx/invoiceninja/public;
gzip on;
gzip_types application/javascript application/x-javascript text/javascript text/plain application/xml application/json;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
index index.php index.html index.htm;
# Enter the path to your existing ssl certificate file, and certificate private key file
# If you don’t have one yet, you can configure one with openssl in the next step.
ssl_certificate "/etc/nginx/cert/ninja.crt";
ssl_certificate_key "/etc/nginx/cert/ninja.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Directives for setting real_ip/XFF IP address in log files
set_real_ip_from 10.10.0.0/24; #IP address of master LB
real_ip_header X-Forwarded-For;
charset utf-8;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q= last;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Here we pass php requests to the php7.4-fpm listen socket.
# PHP errors are often because this value is not correct.
# Verify your php7.4-fpm.sock socket file exists at the below directory
# and that the php7.4-fpm service is running.
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /var/log/nginx/ininja.access.log;
error_log /var/log/nginx/ininja.error.log;
sendfile off;
}