Here is my installation :
[ISP BOX as routeur]
[OWRT BOX as security box] forwarding 80 and 443 to internal server (NGINX)
[NGINX Server] used as transparent reverse proxy to internal subdomains servers (apache2...)
[APACHE2 NextCloud]
My NextCloud log only internal (OWRT or NGINX) IPs
all works fine except I get my proxy nginx and/or my ISP box IP are logged in apache2.
Any advice will be welcome
root@LPM:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option conntrack '1'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'
...
config redirect
option dest_port '443'
option src 'wan'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip 'NGINX IP (replaced)'
option src_dip 'external IP (replaced)'
option reflection_src 'external'
config redirect
option dest_port '80'
option src 'wan'
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip 'NGINX IP (replaced)'
option src_dip 'external IP (replaced)'
option reflection_src 'external'
If it all works fine, then it's unclear if you have a problem or not. Could you elaborate?
Yes I need and want to get the real IP from Internet clients.
This page may contain some useful information for DNAT configuration in OpenWRT: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat
In addition, if your nginx proxy IP address is appearing in your apache2 logs, it might be worth double-checking your nginx configuration to ensure that it's as transparent as you want it to be.
Options:
thanks, will try to set my DMZ zone as proposed