[GH-ISSUE #1057] ENHANCEMENT: Add option to enable Proxy Protocol on TRMM Nginx Container #2594

New issue

Closed

opened 2026-03-14 04:44:40 +03:00 by kerem · 8 comments

kerem commented 2026-03-14 04:44:40 +03:00

Owner

Copy link

Originally created by @joeldeteves on GitHub (Apr 8, 2022).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1057

Originally assigned to: @silversword411 on GitHub.

Is your feature request related to a problem? Please describe.
If TRMM is hosted behind a Load Balancer, it does not get the real IP of the client host in the logs.

Describe the solution you'd like
The solution to this problem is the use of Proxy Protocol, see https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

• It should not be enabled by default, as this will break existing setups unless it's turned on at both the Load Balancer and ingress levels.
• Instead, it should be configurable by an environment variable e.g. PROXY_PROTOCOL: true, this way it is compatible with both K8s & docker-compose
• Setting proxy protocol should also enable it for the ssl binding (4443 for the TRMM non-root nginx container)
• There also needs to be an option to configure the set_real_ip_from directive in order to set it to the IP of the load balancer (or in the case of K8s, the IP CIDR range of the pod virtual network); it might like something like this: REAL_IP_FROM: 192.168.0.0/16

Describe alternatives you've considered
Using a custom NGINX container

Additional context
Add any other context or screenshots about the feature request here.

Originally created by @joeldeteves on GitHub (Apr 8, 2022). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1057 Originally assigned to: @silversword411 on GitHub. **Is your feature request related to a problem? Please describe.** If TRMM is hosted behind a Load Balancer, it does not get the real IP of the client host in the logs. **Describe the solution you'd like** The solution to this problem is the use of `Proxy Protocol`, see https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ - It should not be enabled by default, as this will break existing setups unless it's turned on at both the Load Balancer and ingress levels. - Instead, it should be configurable by an environment variable e.g. `PROXY_PROTOCOL: true`, this way it is compatible with both K8s & docker-compose - Setting `proxy protocol` should also enable it for the `ssl` binding (4443 for the TRMM non-root nginx container) - There also needs to be an option to configure the `set_real_ip_from` directive in order to set it to the IP of the load balancer (or in the case of K8s, the IP CIDR range of the pod virtual network); it might like something like this: `REAL_IP_FROM: 192.168.0.0/16` **Describe alternatives you've considered** Using a custom NGINX container **Additional context** Add any other context or screenshots about the feature request here.

kerem 2026-03-14 04:44:40 +03:00

• closed this issue
• added the
  question
  label

kerem commented 2026-03-14 04:44:56 +03:00

Author

Owner

Copy link

@silversword411 commented on GitHub (Apr 8, 2022):

Is this a docs recommendation for proxy/load balancer considerations...or are you looking for something changed in TRMM?

<!-- gh-comment-id:1093361593 --> @silversword411 commented on GitHub (Apr 8, 2022): Is this a docs recommendation for proxy/load balancer considerations...or are you looking for something changed in TRMM?

kerem commented 2026-03-14 04:45:01 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Apr 8, 2022):

Is this a docs recommendation for proxy/load balancer considerations...or are you looking for something changed in TRMM?

Hi @silversword411 this would be a change in the startup script of the NGINX container.

<!-- gh-comment-id:1093363424 --> @joeldeteves commented on GitHub (Apr 8, 2022): > Is this a docs recommendation for proxy/load balancer considerations...or are you looking for something changed in TRMM? Hi @silversword411 this would be a change in the startup script of the NGINX container.

kerem commented 2026-03-14 04:45:06 +03:00

Author

Owner

Copy link

@silversword411 commented on GitHub (Apr 8, 2022):

Might be better to just PR your recommended change to the repo for that.

But if I'm reading this right there's useful documentation addition for Load balanced configs. Am I not understanding something?

<!-- gh-comment-id:1093391198 --> @silversword411 commented on GitHub (Apr 8, 2022): Might be better to just PR your recommended change to the repo for that. But if I'm reading this right there's useful documentation addition for Load balanced configs. Am I not understanding something?

kerem commented 2026-03-14 04:45:11 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Apr 8, 2022):

I made a note of how the changes should be implemented in order to avoid breaking existing setups. I suppose it could be adapted into the documention as well, for those who run load balancers 😎

I can PR these changes, no problem. Give me some time to test and I'll put in a merge request

<!-- gh-comment-id:1093392536 --> @joeldeteves commented on GitHub (Apr 8, 2022): > I made a note of how the changes should be implemented in order to avoid breaking existing setups. I suppose it could be adapted into the documention as well, for those who run load balancers 😎 I can PR these changes, no problem. Give me some time to test and I'll put in a merge request

kerem commented 2026-03-14 04:45:16 +03:00

Author

Owner

Copy link

@silversword411 commented on GitHub (Apr 8, 2022):

I think you have a bit better understanding on load balancers and docker/k8s stuff than I do...I'm still working on my brain map on the topics ;)

<!-- gh-comment-id:1093394095 --> @silversword411 commented on GitHub (Apr 8, 2022): I think you have a bit better understanding on load balancers and docker/k8s stuff than I do...I'm still working on my brain map on the topics ;)

kerem commented 2026-03-14 04:45:21 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Jun 20, 2022):

Hold my beer . . .

<!-- gh-comment-id:1159979644 --> @joeldeteves commented on GitHub (Jun 20, 2022): Hold my beer . . .

kerem commented 2026-03-14 04:45:26 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Jun 21, 2022):

Cancelling this request, see notes in the merge request (also cancelled)

<!-- gh-comment-id:1161138213 --> @joeldeteves commented on GitHub (Jun 21, 2022): Cancelling this request, see notes in the merge request (also cancelled)

kerem commented 2026-03-14 04:45:31 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Jun 21, 2022):

Adding a follow-up in case anyone else is wondering why I closed this:

1. You can use your own NGINX container + config instead of the one that comes with TRMM. Not recommended unless you know what you're doing; the TRMM one is great for most use cases and in fact I am still using it (see below).

2. It turns out I was able to split NATS into it's own pod on K8s using separate services. Here's how:

• I ended up leaving NATS on its own Load Balancer (with Proxy Protocol turned off)
• Pointed the rmm and mesh A records to our primary Load Balancer, which talks to our Reverse Proxy (with Proxy Protocol turned on).
• Pointed the api A record to the "NATS" Load Balancer, for which the K8s Service is used to expose both the NGINX pod and the NATS pod (thus allowing both NATS and http requests to api to function).

To summarize, the NGINX pod is shared between the "NATS" load balancer and the Reverse Proxy Load Balancer. This allows us to send our "front end" traffic through the Reverse Proxy and our "back end" traffic through the exposed NGINX service, respectively, while also allowing NATS to function as intended.

Whew! 🥳🥳🥳

<!-- gh-comment-id:1161249250 --> @joeldeteves commented on GitHub (Jun 21, 2022): Adding a follow-up in case anyone else is wondering why I closed this: 1) You can use your own NGINX container + config instead of the one that comes with TRMM. Not recommended unless you know what you're doing; the TRMM one is great for most use cases and in fact I am still using it (see below). 2) It turns out I *was* able to split NATS into it's own pod on K8s using separate services. Here's how: - I ended up leaving NATS on its own Load Balancer (with Proxy Protocol turned off) - Pointed the `rmm` and `mesh` A records to our primary Load Balancer, which talks to our Reverse Proxy (with Proxy Protocol turned **on**). - Pointed the `api` A record to the "NATS" Load Balancer, for which the K8s Service is used to expose both the NGINX pod and the NATS pod (thus allowing both NATS and http requests to `api` to function). To summarize, the NGINX pod is shared between the "NATS" load balancer and the Reverse Proxy Load Balancer. This allows us to send our "front end" traffic through the Reverse Proxy and our "back end" traffic through the exposed NGINX service, respectively, while also allowing NATS to function as intended. Whew! 🥳🥳🥳

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2594

No description provided.