APP_PROXIES works for Audit Log but does not work for NGinx error.log #2938

New Issue

Closed

opened 2026-02-05 05:48:15 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-05 05:48:15 +03:00

Owner

Copy Link

Originally created by @jducaud on GitHub (Aug 4, 2022).

Describe the Bug

Setting the APP_PROXIES to * allows the Audit Log of BookStack to display the real IP address of the user.

In the security-topic documentation we can see:

An option is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or to use with tools such as Fail2Ban.

This option is LOG_FAILED_LOGIN_MESSAGE (set, as advised, to "Failed login for %u").

So one could logically think - as Fail2Ban is only effective if it has access to the IP address of the attacker - that APP_PROXIES and LOG_FAILED_LOGIN_MESSAGE are the perfect combo to track repeated failed login attempts.

That is not the case. The APP_PROXIES option works for Audit Log (as advertized in the BookStack 21.10 release notes), and the LOG_FAILED_LOGIN_MESSAGE option yields a message in the NGinx error.log as expected:

2022/08/03 22:55:12 [error] 226#226: *6 FastCGI sent in stderr: "PHP message: Failed login for john.doe@gmail.com" while reading response header from upstream, client: 172.23.0.1, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "book.myserver.org", referrer: "https://book.myserver.org/login"

But they do not yield an NGinx error message which can be used by Fail2Ban, as 172.23.0.1 is a Docker bridge interface IP address, not the user real address.

Steps to Reproduce

1. In the docker-compose.yml file, set APP_PROXIES to *
2. In the docker-compose.yml file, set LOG_FAILED_LOGIN_MESSAGE to "Failed login for %u"
3. Generate and start your containers (BookStack and MariaDB)
4. Try to log in with bad credentials into BookStack
5. Have a look at the NGinx error.log file

Expected Behaviour

Setting both APP_PROXIES and LOG_FAILED_LOGIN_MESSAGE should yield a message with the real IP address of the user in the NGinx error.log file.

We could also imagine that beside the %u variable in the failed login message, there could also be a %i variable for the IP address.

Screenshots or Additional Context

No response

Browser Details

Firefox 103.0 (64-bit) - Windows 11 Home (10.0.22000)

Exact BookStack Version

22.07.1 (LinuxServer.io 22.07.1-ls29)

PHP Version

7.4.26

Hosting Environment

• Synology DS218+ DSM 6.2.4-25556 Update 6
• DSM NGinx 1.16.1 (https://book.myserver.org -> http://localhost:9580)
• DSM Docker 20.10.3: docker-compose.yml:
  • services: image: lscr.io/linuxserver/bookstack, ports: 9580:80, networks: bookstack_mariadb
  • services: image: lscr.io/linuxserver/mariadb, ports: 3306:3306, networks: bookstack_mariadb
  • networks: bookstack_mariadb, driver: bridge

Originally created by @jducaud on GitHub (Aug 4, 2022). ### Describe the Bug Setting the `APP_PROXIES` to `*` allows the `Audit Log` of `BookStack` to display the real IP address of the user. In the [security-topic documentation](https://www.bookstackapp.com/docs/admin/security/) we can see: > An option is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or to use with tools such as **Fail2Ban**. This option is `LOG_FAILED_LOGIN_MESSAGE` (set, as advised, to `"Failed login for %u"`). So one could logically think - as `Fail2Ban` is only effective if it has access to the IP address of the attacker - that `APP_PROXIES` and `LOG_FAILED_LOGIN_MESSAGE` are the perfect combo to track repeated failed login attempts. That is not the case. The `APP_PROXIES` option works for `Audit Log` (as advertized in the [BookStack 21.10 release notes](https://www.bookstackapp.com/blog/bookstack-release-v21-10/#ip-address-in-audit-log)), and the `LOG_FAILED_LOGIN_MESSAGE` option yields a message in the `NGinx error.log` as expected: ``` 2022/08/03 22:55:12 [error] 226#226: *6 FastCGI sent in stderr: "PHP message: Failed login for john.doe@gmail.com" while reading response header from upstream, client: 172.23.0.1, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "book.myserver.org", referrer: "https://book.myserver.org/login" ``` But they do not yield an `NGinx` error message which can be used by `Fail2Ban`, as `172.23.0.1` is a `Docker bridge` interface IP address, not the user real address. ### Steps to Reproduce 1. In the `docker-compose.yml` file, set `APP_PROXIES` to `*` 2. In the `docker-compose.yml` file, set `LOG_FAILED_LOGIN_MESSAGE` to `"Failed login for %u"` 3. Generate and start your containers (`BookStack` and `MariaDB`) 4. Try to log in with bad credentials into `BookStack` 5. Have a look at the `NGinx error.log` file ### Expected Behaviour Setting both `APP_PROXIES` and `LOG_FAILED_LOGIN_MESSAGE` should yield a message with the real IP address of the user in the `NGinx error.log` file. We could also imagine that beside the `%u` variable in the failed login message, there could also be a `%i` variable for the IP address. ### Screenshots or Additional Context _No response_ ### Browser Details Firefox 103.0 (64-bit) - Windows 11 Home (10.0.22000) ### Exact BookStack Version 22.07.1 (LinuxServer.io 22.07.1-ls29) ### PHP Version 7.4.26 ### Hosting Environment - Synology DS218+ DSM 6.2.4-25556 Update 6 - DSM NGinx 1.16.1 (https://book.myserver.org -> http://localhost:9580) - DSM Docker 20.10.3: docker-compose.yml: - services: image: lscr.io/linuxserver/bookstack, ports: 9580:80, networks: bookstack_mariadb - services: image: lscr.io/linuxserver/mariadb, ports: 3306:3306, networks: bookstack_mariadb - networks: bookstack_mariadb, driver: bridge

OVERLORD added the 🐛 Bug label 2026-02-05 05:48:15 +03:00

OVERLORD closed this issue 2026-02-05 05:48:18 +03:00

OVERLORD commented 2026-02-05 05:48:22 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

Hi @jducaud,
I don't want to complicate the LOG_FAILED_LOGIN_MESSAGE system if possible, since it's really a rarely used feature.
I think the fundamental request can be achieved on the nginx side like described here:

https://serverfault.com/questions/896130/possible-to-log-x-forwarded-for-to-nginx-error-log

@ssddanbrown commented on GitHub (Aug 4, 2022): Hi @jducaud, I don't want to complicate the `LOG_FAILED_LOGIN_MESSAGE` system if possible, since it's really a rarely used feature. I think the fundamental request can be achieved on the nginx side like described here: https://serverfault.com/questions/896130/possible-to-log-x-forwarded-for-to-nginx-error-log

OVERLORD commented 2026-02-05 05:48:25 +03:00

Author

Owner

Copy Link

@jducaud commented on GitHub (Aug 4, 2022):

Hi @ssddanbrown,

Thank you for this link. Luckily, the Nginx version of the LinuxServer.io BookStack container has been built with the ngx_http_realip_module! So I added to the server context of Nginx the following lines:

	set_real_ip_from  10.0.0.0/8;
	set_real_ip_from  172.16.0.0/12;
	set_real_ip_from  192.168.0.0/16;
	real_ip_header    X-Forwarded-For;
	real_ip_recursive on;

And it worked. The Nginx error.log now displays the real user IP address. Thank you very much for your advice.

If I may, I would say that the BookStack documentation I quoted should be fixed. Indeed, in any case, the LOG_FAILED_LOGIN_MESSAGE option is not useful for Fail2Ban. Thanks to the APP_PROXIES option, it could have been useful for Fail2Ban but it is actually not. My feeling about this LOG_FAILED_LOGIN_MESSAGE option is that it has no real-life use and has missed its original intended purpose. Too bad.

Anyway, you brilliantly saved me. Thank you again!

@jducaud commented on GitHub (Aug 4, 2022): Hi @ssddanbrown, Thank you for this link. Luckily, the `Nginx` version of the `LinuxServer.io BookStack` container has been built with the `ngx_http_realip_module`! So I added to the server context of `Nginx` the following lines: ``` set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; real_ip_header X-Forwarded-For; real_ip_recursive on; ``` And it worked. The `Nginx` error.log now displays the real user IP address. Thank you very much for your advice. If I may, I would say that the `BookStack` documentation I quoted should be fixed. Indeed, in any case, the `LOG_FAILED_LOGIN_MESSAGE` option is not useful for `Fail2Ban`. Thanks to the `APP_PROXIES` option, it could have been useful for `Fail2Ban` but it is actually not. My feeling about this `LOG_FAILED_LOGIN_MESSAGE` option is that it has no real-life use and has missed its original intended purpose. Too bad. Anyway, you brilliantly saved me. Thank you again!

OVERLORD commented 2026-02-05 05:48:28 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

Good to know things are working

Thanks to the APP_PROXIES option, it could have been useful for Fail2Ban but it is actually not. My feeling about this LOG_FAILED_LOGIN_MESSAGE option is that it has no real-life use and has missed its original intended purpose. Too bad.

I don't really understand. What makes you say this? How does it miss the intended purpose?

@ssddanbrown commented on GitHub (Aug 4, 2022): Good to know things are working > Thanks to the APP_PROXIES option, it could have been useful for Fail2Ban but it is actually not. My feeling about this LOG_FAILED_LOGIN_MESSAGE option is that it has no real-life use and has missed its original intended purpose. Too bad. I don't really understand. What makes you say this? How does it miss the intended purpose?

OVERLORD commented 2026-02-05 05:48:35 +03:00

Author

Owner

Copy Link

@jducaud commented on GitHub (Aug 4, 2022):

When I say "the LOG_FAILED_LOGIN_MESSAGE option (...) has no real-life use and has missed its original intended purpose", I refer to the BookStack documentation (security topic):

Failed Access Logging: An option (LOG_FAILED_LOGIN_MESSAGE) is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or to use with tools such as Fail2Ban.

The original intent - if I read correctly - was to allow the use of tools such as Fail2Ban. Well, the LOG_FAILED_LOGIN_MESSAGE option is useless for tools such as Fail2Ban, as it does not provide a way to get the real IP address of the user/attacker in the logs.

That makes me think this option has only made half of the trip. It yields a message (calling the php error_log function) in the Nginx error.log file but only provides a %u variable, useless to effectively ban an IP address. The other half of the trip has to be done by the elegant workaround you gave me (Nginx real-IP module).

@jducaud commented on GitHub (Aug 4, 2022): When I say "the `LOG_FAILED_LOGIN_MESSAGE` option (...) has no real-life use and has missed its original intended purpose", I refer to the [BookStack documentation](https://www.bookstackapp.com/docs/admin/security/) (security topic): > Failed Access Logging: An option (`LOG_FAILED_LOGIN_MESSAGE`) is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or **to use with tools such as Fail2Ban**. The original intent - if I read correctly - was to allow the use of tools such as `Fail2Ban`. Well, the `LOG_FAILED_LOGIN_MESSAGE` option is useless for tools such as Fail2Ban, as it does not provide a way to get the real IP address of the user/attacker in the logs. That makes me think this option has only made half of the trip. It yields a message (calling the `php error_log` function) in the `Nginx error.log` file but only provides a `%u` variable, useless to effectively ban an IP address. The other half of the trip has to be done by the elegant workaround you gave me (`Nginx real-IP` module).

OVERLORD commented 2026-02-05 05:48:38 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

The LOG_FAILED_LOGIN_MESSAGE option does not log an IP address itself, since it almost always logs to locations that themselves will contain the IP address. The nginx addition here was only needed because you're in a proxy-based setup. This is not a required step in a non-proxy setup.

Stating My feeling about this LOG_FAILED_LOGIN_MESSAGE option is that it has no real-life use and has missed its original intended purpose. Too bad misses the fact that option has indeed provided a way to use Fail2Ban to track failed login attempts, something which would be more difficult without this feature.

@ssddanbrown commented on GitHub (Aug 4, 2022): The `LOG_FAILED_LOGIN_MESSAGE` option does not log an IP address itself, since it almost always logs to locations that themselves will contain the IP address. The nginx addition here was only needed because you're in a proxy-based setup. This is not a required step in a non-proxy setup. Stating `My feeling about this LOG_FAILED_LOGIN_MESSAGE option is that it has no real-life use and has missed its original intended purpose. Too bad` misses the fact that option has indeed provided a way to use Fail2Ban to track failed login attempts, something which would be more difficult without this feature.

OVERLORD commented 2026-02-05 05:48:45 +03:00

Author

Owner

Copy Link

@jducaud commented on GitHub (Aug 4, 2022):

I do agree with you that there is no problem when using BookStack upfront (not in a container and not behind a reverse proxy). But am I the only person who wants to use BookStack in a Docker container, behind a reverse proxy? Is this setup so uncommon and twisted that it is completely out of topic regarding the BookStack documentation? I do not think so. Two containerized versions of BookStack are proposed as links (LinuxServ.io and solidnerd) and there is even an option (APP_PROXIES) which deals with proxy-based setups (at least for the Audit Log feature).

Nonetheless I admit that saying this option has "no real-life use" was wrong (as it has - as you pointed - at least one use case).

@jducaud commented on GitHub (Aug 4, 2022): I do agree with you that there is no problem when using `BookStack` upfront (not in a container and not behind a reverse proxy). But am I the only person who wants to use `BookStack` in a `Docker` container, behind a reverse proxy? Is this setup so uncommon and twisted that it is completely out of topic regarding the `BookStack` documentation? I do not think so. Two containerized versions of `BookStack` are proposed as links (`LinuxServ.io` and `solidnerd`) and there is even an option (`APP_PROXIES`) which deals with proxy-based setups (at least for the `Audit Log` feature). Nonetheless I admit that saying this option has "no real-life use" was wrong (as it has - as you pointed - at least one use case).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2938