[GH-ISSUE #1762] Enable "network host mode" to get real client IP? #1311

New issue

Closed

opened 2026-02-26 07:30:23 +03:00 by kerem · 18 comments

kerem commented 2026-02-26 07:30:23 +03:00

Owner

Copy link

Originally created by @fdzaebel on GitHub (Jan 14, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1762

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
My internal server does not get the real client IP. Via the "X-Forwarded-For" Header the internal server only gets the IP 172.19.0.1 which is the docker IP.

I tried to fix this problem by switching the docker network to "host" like explained in this solution: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/41#issuecomment-464364484

This did not fix the problem but in my eyes this is the only way to handle that problem as it is related to docker and not to NPM.

But I think that the current release of NPM ignores or overwrites this network host configuration of the yaml file.

I think so because when I do an inspect of the docker container the network setting always look the same, no matter if I try this fix or not:

docker inspect npm -f "{{json .NetworkSettings.Networks }}"

{"npm_default":{"IPAMConfig":null,"Links":null,"Aliases":["app","025644e778ea"],"NetworkID":"1bc066aa0ed60b9b9acdc8ac373d73edaf029719fa86f98dc54778cdd536fd3b","EndpointID":"9bba8fd2279715d6984d667a65121a8550d916448ef72a893bf2d425d4af8c78","Gateway":"172.19.0.1","IPAddress":"172.19.0.3","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:13:00:03","DriverOpts":null}}

Could please anybody explain how I can start the current NPM docker version with network in host mode or maybe this is a new bug?

Nginx Proxy Manager Version
2.9.14

Operating System
Debian 10

Originally created by @fdzaebel on GitHub (Jan 14, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1762 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** My internal server does not get the real client IP. Via the "X-Forwarded-For" Header the internal server only gets the IP 172.19.0.1 which is the docker IP. I tried to fix this problem by switching the docker network to "host" like explained in this solution: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/41#issuecomment-464364484 This did not fix the problem but in my eyes this is the only way to handle that problem as it is related to docker and not to NPM. But I think that the current release of NPM ignores or overwrites this network host configuration of the yaml file. I think so because when I do an inspect of the docker container the network setting always look the same, no matter if I try this fix or not: ``` docker inspect npm -f "{{json .NetworkSettings.Networks }}" {"npm_default":{"IPAMConfig":null,"Links":null,"Aliases":["app","025644e778ea"],"NetworkID":"1bc066aa0ed60b9b9acdc8ac373d73edaf029719fa86f98dc54778cdd536fd3b","EndpointID":"9bba8fd2279715d6984d667a65121a8550d916448ef72a893bf2d425d4af8c78","Gateway":"172.19.0.1","IPAddress":"172.19.0.3","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:13:00:03","DriverOpts":null}} ``` Could please anybody explain how I can start the current NPM docker version with network in host mode or maybe this is a new bug? **Nginx Proxy Manager Version** 2.9.14 **Operating System** Debian 10

kerem 2026-02-26 07:30:23 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@fdzaebel commented on GitHub (Jan 14, 2022):

I now fixed this problem. Here is my yaml code, so I removed all port configs:

version: "3.2"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    container_name: npm
    restart: always
    network_mode: "host"
   ...

I also have MariaDB running in docker. I had to change the yaml file for MariaDB also setting it no network mode "host" and then set the host-value for connecting to MariaDB to localhost (for me it was docker "db" before).

Now everything is working as expected.

<!-- gh-comment-id:1013209959 --> @fdzaebel commented on GitHub (Jan 14, 2022): I now fixed this problem. Here is my yaml code, so I removed all port configs: ``` version: "3.2" services: app: image: jc21/nginx-proxy-manager:latest container_name: npm restart: always network_mode: "host" ... ``` I also have MariaDB running in docker. I had to change the yaml file for MariaDB also setting it no network mode "host" and then set the host-value for connecting to MariaDB to localhost (for me it was docker "db" before). Now everything is working as expected.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@maxin-cn commented on GitHub (Dec 27, 2022):

@fdzaebel hi, I want to modify npm into host mode, and I have installed npm in your docker-compose.yaml file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~

version: '3.2'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

<!-- gh-comment-id:1365876053 --> @maxin-cn commented on GitHub (Dec 27, 2022): > @fdzaebel hi, I want to modify `npm` into host mode, and I have installed `npm` in your `docker-compose.yaml` file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~ ``` version: '3.2' services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped network_mode: host volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt ```

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@AmIBeingObtuse commented on GitHub (May 14, 2023):

@fdzaebel hi, I want to modify npm into host mode, and I have installed npm in your docker-compose.yaml file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~

version: '3.2'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

I am also facing this issue with npm not loading admin interface or allowing proxy host connections also in the pursuit of real ip.

<!-- gh-comment-id:1546991877 --> @AmIBeingObtuse commented on GitHub (May 14, 2023): > > > > @fdzaebel hi, I want to modify `npm` into host mode, and I have installed `npm` in your `docker-compose.yaml` file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~ > > ``` > version: '3.2' > services: > app: > image: 'jc21/nginx-proxy-manager:latest' > restart: unless-stopped > network_mode: host > volumes: > - ./data:/data > - ./letsencrypt:/etc/letsencrypt > ``` I am also facing this issue with npm not loading admin interface or allowing proxy host connections also in the pursuit of real ip.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Jul 26, 2023):

I read this thread like 5 times and tried to research how to do it properly without breaking too much.

The network_mode: host works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host.

The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain.

What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore directly getting the SourceIP on Port 80/443 (or another Stream Port if necessary), but keep the internal networking for database and other docker images fully functional.

To make that happen adopt the docker run command -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 (Adding 0.0.0.0 to the port forwarding for the npm-docker image)

For docker-compose

ports:
    0.0.0.0:80:80
    0.0.0.0:443:443

Worked for me on Port 80/443 to have the SourceIP

Edit: If you want IPv6 to work as well you have to extend the port configuration:
docker run
-p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443

docker compose

ports:
      - '0.0.0.0:80:80' # Public HTTP Port IPv4
      - '0.0.0.0:443:443' # Public HTTPS Port IPv4
      - '[::0]:80:80' # Public HTTP Port IPv6
      - '[::0]:443:443' # Public HTTPS Port IPv6

<!-- gh-comment-id:1651714880 --> @neocult-de commented on GitHub (Jul 26, 2023): I read this thread like 5 times and tried to research how to do it properly without breaking too much. The `network_mode: host` works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host. The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain. What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore **directly getting the SourceIP on Port 80/443** (or another Stream Port if necessary), **but keep the internal networking for database and other docker images fully functional**. To make that happen adopt the docker run command `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443` (Adding 0.0.0.0 to the port forwarding for the npm-docker image) For docker-compose ``` ports: 0.0.0.0:80:80 0.0.0.0:443:443 ``` Worked for me on Port 80/443 to have the SourceIP Edit: If you want IPv6 to work as well you have to extend the port configuration: **docker run** `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443` **docker compose** ``` ports: - '0.0.0.0:80:80' # Public HTTP Port IPv4 - '0.0.0.0:443:443' # Public HTTPS Port IPv4 - '[::0]:80:80' # Public HTTP Port IPv6 - '[::0]:443:443' # Public HTTPS Port IPv6 ```

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@AmIBeingObtuse commented on GitHub (Jul 26, 2023):

I'm running docker desktop on Windows 10 pro and the only single issue I have is I cannot get the source IP always the docker IP. Tried 0.0.0.0:80:80 and 0.0.0.0:443:443 and still dont work.

Ive tried so many guides out there. I long for the day I can get the real IP 😄

<!-- gh-comment-id:1652338827 --> @AmIBeingObtuse commented on GitHub (Jul 26, 2023): I'm running docker desktop on Windows 10 pro and the only single issue I have is I cannot get the source IP always the docker IP. Tried 0.0.0.0:80:80 and 0.0.0.0:443:443 and still dont work. Ive tried so many guides out there. I long for the day I can get the real IP 😄

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Jul 26, 2023):

Then it would seem that the notation the same as network-mode host only works on Linux for now

<!-- gh-comment-id:1652410367 --> @neocult-de commented on GitHub (Jul 26, 2023): Then it would seem that the notation the same as network-mode host only works on Linux for now

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@0bo commented on GitHub (Aug 28, 2023):

@fdzaebel hi, I want to modify npm into host mode, and I have installed npm in your docker-compose.yaml file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~

version: '3.2'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

I am also facing this issue with npm not loading admin interface or allowing proxy host connections also in the pursuit of real ip.

Same here, cant login at port81, and didn't test it works to get the real ip.

<!-- gh-comment-id:1695576488 --> @0bo commented on GitHub (Aug 28, 2023): > > > > > > > > > @fdzaebel hi, I want to modify `npm` into host mode, and I have installed `npm` in your `docker-compose.yaml` file, but I cannot open the login interface of npm or log in to npm. Could you please tell me how to solve it? Thanks~ > > ``` > > version: '3.2' > > services: > > app: > > image: 'jc21/nginx-proxy-manager:latest' > > restart: unless-stopped > > network_mode: host > > volumes: > > - ./data:/data > > - ./letsencrypt:/etc/letsencrypt > > ``` > > I am also facing this issue with npm not loading admin interface or allowing proxy host connections also in the pursuit of real ip. Same here, cant login at port81, and didn't test it works to get the real ip.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@0bo commented on GitHub (Aug 28, 2023):

I read this thread like 5 times and tried to research how to do it properly without breaking too much.

The network_mode: host works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host.

The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain.

What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore directly getting the SourceIP on Port 80/443 (or another Stream Port if necessary), but keep the internal networking for database and other docker images fully functional.

To make that happen adopt the docker run command -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 (Adding 0.0.0.0 to the port forwarding for the npm-docker image)

For docker-compose

ports:
    0.0.0.0:80:80
    0.0.0.0:443:443

Worked for me on Port 80/443 to have the SourceIP

Edit: If you want IPv6 to work as well you have to extend the port configuration: docker run -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443

docker compose

ports:
      - '0.0.0.0:80:80' # Public HTTP Port IPv4
      - '0.0.0.0:443:443' # Public HTTPS Port IPv4
      - '[::0]:80:80' # Public HTTP Port IPv6
      - '[::0]:443:443' # Public HTTPS Port IPv6

I tried this and also tried another compose type

ports:
      - '81:81'
      - target: 80
        published: 8880
        protocol: tcp
        mode: host
      - target: 443
        published: 8443
        protocol: tcp
        mode: host

neither works... tired... let it be then ...

<!-- gh-comment-id:1695579786 --> @0bo commented on GitHub (Aug 28, 2023): > I read this thread like 5 times and tried to research how to do it properly without breaking too much. > > The `network_mode: host` works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host. > > The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain. > > What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore **directly getting the SourceIP on Port 80/443** (or another Stream Port if necessary), **but keep the internal networking for database and other docker images fully functional**. > > To make that happen adopt the docker run command `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443` (Adding 0.0.0.0 to the port forwarding for the npm-docker image) > > For docker-compose > > ``` > ports: > 0.0.0.0:80:80 > 0.0.0.0:443:443 > ``` > > Worked for me on Port 80/443 to have the SourceIP > > Edit: If you want IPv6 to work as well you have to extend the port configuration: **docker run** `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443` > > **docker compose** > > ``` > ports: > - '0.0.0.0:80:80' # Public HTTP Port IPv4 > - '0.0.0.0:443:443' # Public HTTPS Port IPv4 > - '[::0]:80:80' # Public HTTP Port IPv6 > - '[::0]:443:443' # Public HTTPS Port IPv6 > ``` I tried this and also tried another compose type ``` ports: - '81:81' - target: 80 published: 8880 protocol: tcp mode: host - target: 443 published: 8443 protocol: tcp mode: host ``` neither works... tired... let it be then ...

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Aug 28, 2023):

@0bo If you still want to give it a try, check the following steps first:

1. Are you on a Linux-based System for your Docker Host? Windows and MacOS don´t have support for dockers host mode https://docs.docker.com/network/drivers/host/
2. If you run your Compose file without mode host at all, can you then login on port 81? (To avoid any other issue along the way)

<!-- gh-comment-id:1695747552 --> @neocult-de commented on GitHub (Aug 28, 2023): @0bo If you still want to give it a try, check the following steps first: 1. Are you on a Linux-based System for your Docker Host? Windows and MacOS don´t have support for dockers host mode https://docs.docker.com/network/drivers/host/ 2. If you run your Compose file without mode host at all, can you then login on port 81? (To avoid any other issue along the way)

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@0bo commented on GitHub (Sep 12, 2023):

@0bo If you still want to give it a try, check the following steps first:

1. Are you on a Linux-based System for your Docker Host? Windows and MacOS don´t have support for dockers host mode https://docs.docker.com/network/drivers/host/
2. If you run your Compose file without mode host at all, can you then login on port 81? (To avoid any other issue along the way)

@neocult-de Hi there:

1. I have tried openwrt, Sysnology docker through windows vmware pro. they both are linux-based system.
2. I noticed that it is not compose file or not, it is the host mode. If I turn on host mode, that port 81 could load the page but can't login.

Thank you. Now I am trying something else, they work fine.

<!-- gh-comment-id:1715501854 --> @0bo commented on GitHub (Sep 12, 2023): > @0bo If you still want to give it a try, check the following steps first: > > 1. Are you on a Linux-based System for your Docker Host? Windows and MacOS don´t have support for dockers host mode https://docs.docker.com/network/drivers/host/ > 2. If you run your Compose file without mode host at all, can you then login on port 81? (To avoid any other issue along the way) @neocult-de Hi there: 1. I have tried openwrt, Sysnology docker through windows vmware pro. they both are linux-based system. 2. I noticed that it is not compose file or not, it is the host mode. If I turn on host mode, that port 81 could load the page but can't login. Thank you. Now I am trying something else, they work fine.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Sep 12, 2023):

@0bo If you find an alternative, that's great.

For the "host mode and then not being able to login" issue:
If you are directly in host mode, connections between docker containers via the docker network do not work anymore, because all ports are directly bound on the host. Thus, nginx-proxy-manager container can't connect to its database-container anymore. There is no direct error message, but you will not be able to login with your credentials when they can not be verified with the database.

That is why I recommended to use the bind on all interface method (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) "instead of hostmode!". It will give the same result for nginx-proxy-manager directly handling requests, but still be able to use docker-network with other containers (important for database and if you want to reverse proxy other docker containers on the same host).

If you were able to activate host mode, then the bind on all interface method should work for you as well.

<!-- gh-comment-id:1715516624 --> @neocult-de commented on GitHub (Sep 12, 2023): @0bo If you find an alternative, that's great. For the "host mode and then not being able to login" issue: If you are directly in host mode, connections between docker containers via the docker network do not work anymore, because all ports are directly bound on the host. Thus, nginx-proxy-manager container can't connect to its database-container anymore. There is no direct error message, but you will not be able to login with your credentials when they can not be verified with the database. That is why I recommended to use the bind on all interface method (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) "instead of hostmode!". It will give the same result for nginx-proxy-manager directly handling requests, but still be able to use docker-network with other containers (important for database and if you want to reverse proxy other docker containers on the same host). If you were able to activate host mode, then the bind on all interface method should work for you as well.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@0bo commented on GitHub (Sep 12, 2023):

@0bo If you find an alternative, that's great.

For the "host mode and then not being able to login" issue: If you are directly in host mode, connections between docker containers via the docker network do not work anymore, because all ports are directly bound on the host. Thus, nginx-proxy-manager container can't connect to its database-container anymore. There is no direct error message, but you will not be able to login with your credentials when they can not be verified with the database.

That is why I recommended to use the bind on all interface method (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) "instead of hostmode!". It will give the same result for nginx-proxy-manager directly handling requests, but still be able to use docker-network with other containers (important for database and if you want to reverse proxy other docker containers on the same host).

If you were able to activate host mode, then the bind on all interface method should work for you as well.

@neocult-de

I fully understand the advantage of your suggestion, that's why I tried quite a few times.

But neither openwrt nor synology system does support this feature. I mean, when I apply the method like -p 0.0.0.0:80:80 -p 0.0.0.0:443:443, by compose or just one line command, in some situations it may notifies wrong format, or sometimes it just works as normal bind method, no difference.

I guess this may be due to the system itself, for example, in debian or ubuntu, it may work as you said, but not in my case.

<!-- gh-comment-id:1715644367 --> @0bo commented on GitHub (Sep 12, 2023): > @0bo If you find an alternative, that's great. > > For the "host mode and then not being able to login" issue: If you are directly in host mode, connections between docker containers via the docker network do not work anymore, because all ports are directly bound on the host. Thus, nginx-proxy-manager container can't connect to its database-container anymore. There is no direct error message, but you will not be able to login with your credentials when they can not be verified with the database. > > That is why I recommended to use the bind on all interface method (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) "instead of hostmode!". It will give the same result for nginx-proxy-manager directly handling requests, but still be able to use docker-network with other containers (important for database and if you want to reverse proxy other docker containers on the same host). > > If you were able to activate host mode, then the bind on all interface method should work for you as well. @neocult-de I fully understand the advantage of your suggestion, that's why I tried quite a few times. But neither openwrt nor synology system does support this feature. I mean, when I apply the method like `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443`, by compose or just one line command, in some situations it may notifies wrong format, or sometimes it just works as normal bind method, no difference. I guess this may be due to the system itself, for example, in debian or ubuntu, it may work as you said, but not in my case.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Sep 12, 2023):

@0bo If the host mode works for you:
If the binding notation for all interfaces does not work for you, you might be able to set it specifically for your host ip and docker network in question. (I personally have done all for keeping the docker network connection to all my container and services)

Alternatively: Use host mode on database container as well - You can get access to the database theoretically by binding the database-container as well in host mode and connect locally to it (you might need to use the IP of the device and not a binding like localhost / 127.0.0.1 to connect from nginx-proxy-manager to the database)

(Not being able to use the all interfaces notation might be issues with interfaces and routing on OpenWrt and Synology (Plenty of reasons for these stations to have modifications in these area) OR an older version of docker as the Interface binding notation is a newer feature.

<!-- gh-comment-id:1715693247 --> @neocult-de commented on GitHub (Sep 12, 2023): @0bo If the host mode works for you: If the binding notation for all interfaces does not work for you, you might be able to set it specifically for your host ip and docker network in question. (I personally have done all for keeping the docker network connection to all my container and services) Alternatively: Use host mode on database container as well - You can get access to the database theoretically by binding the database-container as well in host mode and connect locally to it (you might need to use the IP of the device and not a binding like localhost / 127.0.0.1 to connect from nginx-proxy-manager to the database) (Not being able to use the all interfaces notation might be issues with interfaces and routing on OpenWrt and Synology (Plenty of reasons for these stations to have modifications in these area) OR an older version of docker as the Interface binding notation is a newer feature.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@Zammla commented on GitHub (Mar 11, 2024):

I read this thread like 5 times and tried to research how to do it properly without breaking too much.

The network_mode: host works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host.

The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain.

What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore directly getting the SourceIP on Port 80/443 (or another Stream Port if necessary), but keep the internal networking for database and other docker images fully functional.

To make that happen adopt the docker run command -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 (Adding 0.0.0.0 to the port forwarding for the npm-docker image)

For docker-compose

ports:
    0.0.0.0:80:80
    0.0.0.0:443:443

Worked for me on Port 80/443 to have the SourceIP

Edit: If you want IPv6 to work as well you have to extend the port configuration: docker run -p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443

docker compose

ports:
      - '0.0.0.0:80:80' # Public HTTP Port IPv4
      - '0.0.0.0:443:443' # Public HTTPS Port IPv4
      - '[::0]:80:80' # Public HTTP Port IPv6
      - '[::0]:443:443' # Public HTTPS Port IPv6

This worked for me on Linux! THANK YOU SO MUCH! Trying this for weeks and finally it worked.

<!-- gh-comment-id:1988060963 --> @Zammla commented on GitHub (Mar 11, 2024): > I read this thread like 5 times and tried to research how to do it properly without breaking too much. > > The `network_mode: host` works for a correct "SourceIP"-Forwarding, but it breaks the principal of having other docker containers in an internal network, because host-mode and docker networks are mutually exclusive. That leads to the necessity of exposing the mysql-docker for NPM and any other service on the same host to be adressed differently and unnecessarily expose their ports to the host. > > The iptable-rule solution to masquerade packages is harder to do, might depend on server and deployment and is harder to maintain. > > What worked for me is letting the docker container bind directly to the host port, so it doesn´t use the docker-proxy to be forwarded and thus changing the source IP. Adding 0.0.0.0 to the ports to bind on all Interfaces (Internal docker networks your NPM container is attached to AND the host port directly) --> Therefore **directly getting the SourceIP on Port 80/443** (or another Stream Port if necessary), **but keep the internal networking for database and other docker images fully functional**. > > To make that happen adopt the docker run command `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443` (Adding 0.0.0.0 to the port forwarding for the npm-docker image) > > For docker-compose > > ``` > ports: > 0.0.0.0:80:80 > 0.0.0.0:443:443 > ``` > > Worked for me on Port 80/443 to have the SourceIP > > Edit: If you want IPv6 to work as well you have to extend the port configuration: **docker run** `-p 0.0.0.0:80:80 -p 0.0.0.0:443:443 -p [::0]:80:80 -p [::0]:443:443` > > **docker compose** > > ``` > ports: > - '0.0.0.0:80:80' # Public HTTP Port IPv4 > - '0.0.0.0:443:443' # Public HTTPS Port IPv4 > - '[::0]:80:80' # Public HTTP Port IPv6 > - '[::0]:443:443' # Public HTTPS Port IPv6 > ``` This worked for me on Linux! THANK YOU SO MUCH! Trying this for weeks and finally it worked.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@LiamKarlMitchell commented on GitHub (Aug 11, 2024):

On WSL2 Windows 10, can't do host network (once enabled in experimental features of docker desktop) and still have access to docker named networks that are marked external: true etc, to share between various containers to be able to access them by their host names.

Listening with the 0 bind address did not work in this case.

However, can possibly have two Nginx's or some other proxy.
One on host that reverse proxies to one that has different port exposed for http, to then be able to connect to docker bridge networks as well.

Nginx + Host Network enabled listens on 80,443 etc.
Reverse proxies all traffic? to port 83 for instance
The nginx running for container networks, can then handle them as needed.

Kind of a round about way to do it, if it works...
Would also let allowing only cloudflare ipv4 + lan + docker to access "public" sites as well due to the separation and having the real connecting ip... Although that can be allowed through firewall as well and probably should be but block other traffic etc.

<!-- gh-comment-id:2282732501 --> @LiamKarlMitchell commented on GitHub (Aug 11, 2024): On WSL2 Windows 10, can't do host network (once enabled in experimental features of docker desktop) and still have access to docker named networks that are marked external: true etc, to share between various containers to be able to access them by their host names. Listening with the 0 bind address did not work in this case. However, can possibly have two Nginx's or some other proxy. One on host that reverse proxies to one that has different port exposed for http, to then be able to connect to docker bridge networks as well. Nginx + Host Network enabled listens on 80,443 etc. Reverse proxies all traffic? to port 83 for instance The nginx running for container networks, can then handle them as needed. Kind of a round about way to do it, if it works... Would also let allowing only cloudflare ipv4 + lan + docker to access "public" sites as well due to the separation and having the real connecting ip... Although that can be allowed through firewall as well and probably should be but block other traffic etc.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Aug 12, 2024):

@LiamKarlMitchell The most outer reverse proxy does the SSL-Certificate and Handling for you on the publicly reachable end in almost any case, if you move that process to any other proxy inside you will run into managament overhead, certificate copying whatever. You would like to aim for that goal.

I run Nextcloud-AIO (All-in-one) behind Nginx Proxy Manager and the correct IP gets handled from NPM (Reverse Proxy) ->Caddy (Reverse Proxy) -> Apache (Webserver) and has the correct IP - Thats possible through the chain, but it doesn´t fix the original issue for you.

What you could try in WSL2 Windows 10 instead of outright host mode and instead of the all interface binding notation (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) you can try to notate your network IP and every docker network ip your npm-proxy-manager gets.

This would lead to the overhead of adding every ip your npm-proxy gets internally in docker assigned into your docker compose file, but it should give the chance for proper IP by listening on the actual network interface and the proper docker names through its docker interface at the same time.

HINT: Might need the experimental option activated - might not work on WSL properly

<!-- gh-comment-id:2283824107 --> @neocult-de commented on GitHub (Aug 12, 2024): @LiamKarlMitchell The most outer reverse proxy does the SSL-Certificate and Handling for you on the publicly reachable end in almost any case, if you move that process to any other proxy inside you will run into managament overhead, certificate copying whatever. You would like to aim for that goal. I run Nextcloud-AIO (All-in-one) behind Nginx Proxy Manager and the correct IP gets handled from NPM (Reverse Proxy) ->Caddy (Reverse Proxy) -> Apache (Webserver) and has the correct IP - Thats possible through the chain, but it doesn´t fix the original issue for you. What you could try in WSL2 Windows 10 instead of outright host mode and instead of the all interface binding notation (-p 0.0.0.0:80:80 -p 0.0.0.0:443:443) you can try to notate your network IP and every docker network ip your npm-proxy-manager gets. This would lead to the overhead of adding every ip your npm-proxy gets internally in docker assigned into your docker compose file, but it should give the chance for proper IP by listening on the actual network interface and the proper docker names through its docker interface at the same time. HINT: Might need the experimental option activated - might not work on WSL properly

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@LiamKarlMitchell commented on GitHub (Aug 12, 2024):

Update, Even host mode with experimental mode on windows 10 Wsl2 did not work unfortunately, well with pi hole which I tried host network on first rather than npm, could see a new "ip" for each client connection this time it was always localhost even though the device doing the dns query was my phone for instance not my pc.

So im confident nginx would be the same in host mode even with hosting two instances of it etc. Bummer.

<!-- gh-comment-id:2283850148 --> @LiamKarlMitchell commented on GitHub (Aug 12, 2024): Update, Even host mode with experimental mode on windows 10 Wsl2 did not work unfortunately, well with pi hole which I tried host network on first rather than npm, could see a new "ip" for each client connection this time it was always localhost even though the device doing the dns query was my phone for instance not my pc. So im confident nginx would be the same in host mode even with hosting two instances of it etc. Bummer.

kerem commented 2026-02-26 07:30:24 +03:00

Author

Owner

Copy link

@neocult-de commented on GitHub (Aug 12, 2024):

Try interface binding notation for

• 0.0.0.0
• your hosts ip
• docker internal ip of your Pihole
  and try again.

e.g. for PiHole DNS Request try (with your actual ips!)

docker run

-p 0.0.0.0:53:53 -p 192.168.0.10:53:53 -p 172.20.0.5:53:53

docker compose
ports:
- '0.0.0.0:53:53'
- '192.168.0.10:53:53'
- '172.20.0.5:53:53'

<!-- gh-comment-id:2283867998 --> @neocult-de commented on GitHub (Aug 12, 2024): Try interface binding notation for - 0.0.0.0 - your hosts ip - docker internal ip of your Pihole and try again. e.g. for PiHole DNS Request try (with your actual ips!) **docker run** -p 0.0.0.0:53:53 -p 192.168.0.10:53:53 -p 172.20.0.5:53:53 **docker compose** ports: - '0.0.0.0:53:53' - '192.168.0.10:53:53' - '172.20.0.5:53:53'

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1311

No description provided.