I’ve ended up making a change on internal nginx level, here is my config (be sure to forward real IP on the external nginx proxy via X_Forwarded_For header, and/or change the internal config to use the right header for your config.
server {
# NOTE That the 'default_server' option is only necessary if this is your primary domain application.
# If you run multiple subdomains from the same host already, remove the 'default_server' option.
listen 80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
client_max_body_size 20M;
# Here, enter the path to your invoiceninja directory, in the public dir. VERY IMPORTANT
# DO NOT point the root directly at your invoiceninja directory, it MUST point at the public folder
# This is for security reasons.
root /usr/share/nginx/invoiceninja/public;
gzip on;
gzip_types application/javascript application/x-javascript text/javascript text/plain application/xml application/json;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
index index.php index.html index.htm;
# Enter the path to your existing ssl certificate file, and certificate private key file
# If you don’t have one yet, you can configure one with openssl in the next step.
ssl_certificate "/etc/nginx/cert/ninja.crt";
ssl_certificate_key "/etc/nginx/cert/ninja.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Directives for setting real_ip/XFF IP address in log files
set_real_ip_from 10.10.0.0/24; #IP address of master LB
real_ip_header X-Forwarded-For;
charset utf-8;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q= last;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Here we pass php requests to the php7.4-fpm listen socket.
# PHP errors are often because this value is not correct.
# Verify your php7.4-fpm.sock socket file exists at the below directory
# and that the php7.4-fpm service is running.
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /var/log/nginx/ininja.access.log;
error_log /var/log/nginx/ininja.error.log;
sendfile off;
}