RealIP Reverse Proxy

kiriel_slembrouck · March 20, 2021, 12:09pm

Hi

I am trying to put my FiveM server behind a reverse proxy.
The proxy by itself works fine when I join via cfx.re. There it neatly has the real IP of the player through.
However, when I connect via the proxy IP, this IP is not passed on so all players have the proxy IP according to the fivem server itself.

Does anyone have any idea how I can best solve this?
Thanks in advance

upstream backend {
        server serverip:30120;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name fivem.domein.com;

    ssl_certificate blablabla;
    ssl_certificate_key blablabla;


    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass_request_headers on;
        proxy_http_version 1.1;
        proxy_pass http://backend;
    }

    location /files/ {
        proxy_pass http://backend$request_uri;
        add_header X-Cache-Status $upstream_cache_status;
        proxy_cache_lock on;
        proxy_cache assets;
        proxy_cache_valid 1y;
        proxy_cache_key $request_uri$is_args$args;
        proxy_cache_revalidate on;
        proxy_cache_min_uses 1;
    }
}

d0p3t · March 20, 2021, 1:26pm

You are possibly missing some setup steps (configs, FXServer settings etc.)

See FXServer Reverse Proxy · GitHub for a guide

kiriel_slembrouck · March 20, 2021, 3:57pm

Hi, thank you for your answer

I just followed all the steps again but still without success.
Below you see my code

server.cfg

/etc/nginx/sites-available/proxy-web.conf

upstream backend {
        server xxx.x.xxx.24:30120;
}

proxy_cache_path /srv/cache levels=1:2 keys_zone=assets:48m max_size=20g inactive=2h;

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name fivem.mydomein.net;

    # SSL is highly encouraged but optional. If not using SSL, comment the below and change the listen blocks above.
    ssl_certificate /etc/letsencrypt/live/mydomein/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomein/privkey.pem;
    #error_log /var/log/nginx/fivem.log warn;    
    #access_log /var/log/nginx/fivem-access.log;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass_request_headers on;
        proxy_http_version 1.1;
        proxy_pass http://backend;
    }
}

/etc/nginx/stream-proxy.conf

stream {
    upstream backend{
        server xxx.x.xxx.24:30120;
    }
    server {
                listen 30120;
                proxy_pass backend;
        }
        server {
                listen 30120 udp reuseport;
                proxy_pass backend;
        }
}

/etc/nginx/nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;


    proxy_cache_path /srv/cache levels=1:2 keys_zone=assets:48m max_size=20g inactive=2h;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';


    log_format specialLog '$remote_addr forwarded for $http_x_real_ip - $remote_user [$time_local]  '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent"';
    access_log  /var/log/nginx/access.log specialLog;
    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}


include /etc/nginx/stream-proxy.conf;

nginx version: nginx/1.19.7

version" is "FXServer-master v1.0.0.3524 linux

QuadCore · April 9, 2021, 9:18am

We’re having the same issue.
Sadly, passing the real ip while using the setup from aformentioned github page only works when you connect via cfx.re proxy or via connect "https://your-server-address/" (note quoutes and https://, also port 443 has to be open and ssl cert has to be configured).

BennoBaba · April 16, 2021, 4:23pm

Followed your guide, same issue as above. Bubble on the discord mentioned that this is not possible on default port, but there are many servers doing it with default port.

We need a little more help, please !

d0p3t · April 16, 2021, 8:56pm

I don’t have experience with it. That’s all the info I can give

nta · April 17, 2021, 6:34am

Again, I highly doubt that they are using a reverse proxy in that case and not a tunnel.

However - what issue are you trying to solve by having ‘the default port’ be connectable?

kiriel_slembrouck · April 17, 2021, 2:47pm

I am trying to solve the problem of IP pass through at the proxy IP to join. When I join the cfx it does this one. Via the IP it does not

nta · April 17, 2021, 2:48pm

Cool? But why do you want people to connect “via the IP” and not the listing or your https proxy URL?

kiriel_slembrouck · April 17, 2021, 3:42pm

Same problem. IP pass through is only working when people join with cfx or serverlist

nta · April 17, 2021, 3:44pm

… are you even reading what I’m asking? Why do you want people to connect “via the IP” instead of connect "https://proxy.domain/"?

I’m not sure why you’re saying “same problem” when I didn’t even suggest a solution or anything.

BennoBaba · May 1, 2021, 1:12am

We(at least I) just want to figure out why using full URL link including protocol works, but not plain domain without it.
Why does connect "http://proxy.server.com" and connect "https://proxy.server.com" works and simply connect proxy.server.com does not…

It will be easier for players to just type that, instead of copying whole link with https and putting it in quotes using f8.

Also, default 30120 port is used in the provided guide, which somehow tells us that this should wok on default port(and it does issue is with something else). We just want to follow it, set up proxy to forward real player IP when player uses domain without quotes.

nta · May 1, 2021, 5:04am

… because “plain domain without it” turns into example.com:30120 which will just be performing a raw connection.

No, it shouldn’t in that sense, and this guide is written by some community member so shouldn’t be taken as authoritative. You should not be using the default port to ensure people don’t connect to your raw proxy by accident, and similarly it makes no real sense to put the HTTPS proxy on the same machine as the TCP/UDP proxy (or at least not have it behind another proxy such as CF or a Kubernetes ingress provider) as people who know the address to the protocol-aware port port can trivially just ‘attack’ the other if that’s what your goal is here.

Again, there is no method or ‘solution’ for adding a real-IP header to the raw port, nor can there possibly be as it’s a raw port which is not and can not be protocol-aware.

Somewhat curious - why are you needing players to ‘type’ anything anywhere? In fact, if correctly configured, join URLs do the same thing, as does the server list, so the use case here somewhat eludes me.

kiriel_slembrouck · June 5, 2021, 2:04pm

Is there any way to possibly solve this?

runducoff · December 5, 2022, 1:37pm

Yes, I have an idea that could help you solve this problem. It involves using the proxy protocol, which is a networking protocol that allows you to pass the real IP of the client to the server, even if the traffic is routed through a proxy. For example, I am using the proxies from https://shiftproxy.io for this, idk if it will work with others. This can be done by configuring the proxy to add a special header to all requests that contain the client’s IP address. Then, on the server side, you can use a library such as mod_proxy_protocol to read the header and extract the real IP address. I hope this helps, and good luck getting your FiveM server running behind a reverse proxy!