In my case running Traefik on docker I was not getting real ip addresses. I changed the NLB option Source header (IP, port) preservation: Enabled

NOTE: To change this you need to remove the targets from the backend set first.

console issue

Suddenly the console did not allow me to re-add the VM.Standard.A1.Flex server back into the backend set. It required me to upgrade to a paid account. Which is nonsense since I used this server as a target for a long time and now suddenly they want to be sneaky with free options. At least the CLI did add the IP back in.

❯ ocicli nlb backend create --backend-set-name server01-443 --network-load-balancer-id <nlb ocid> --port 443 --ip-address 10.0.10.226

test

$ curl https://whoami.virrio.com
Hostname: d86282cf4314
IP: 127.0.0.1
IP: 192.168.240.5
RemoteAddr: 192.168.240.10:39018
GET / HTTP/1.1
Host: whoami.virrio.com
User-Agent: curl/7.81.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 141.148.143.6
X-Forwarded-Host: whoami.virrio.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 7ec716586d0b
X-Real-Ip: 141.148.143.6