proper proxy configuration

fastcgi.conf

@@ -16,7 +16,7 @@ fastcgi_param  HTTPS              $https if_not_empty;
 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
 fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
 
-fastcgi_param  REMOTE_ADDR        $http_x_forwarded_for;
+fastcgi_param  REMOTE_ADDR        $remote_addr;
 fastcgi_param  REMOTE_PORT        $remote_port;
 fastcgi_param  REMOTE_USER        $remote_user;
 fastcgi_param  SERVER_ADDR        $server_addr;

nginx.conf

@@ -1,7 +1,6 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
-error_log /var/log/nginx/error.log;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
@@ -37,7 +36,12 @@ http {
 	# Logging Settings
 	##
 
-	access_log /var/log/nginx/access.log;
+	log_format main '$http_x_forwarded_for [$time_local] "$request" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent"';
+
+	access_log /var/log/nginx/access.log main;
+	error_log /var/log/nginx/error.log;
 
 	##
 	# Gzip Settings

public_mediawiki/LocalSettings.php

@@ -242,3 +242,8 @@ $wgTemplateStylesExtenderEnableCssVars = true;
 $wgNamespacesWithSubpages[NS_MAIN] = true;
 $wgNamespacesWithSubpages[NS_TEMPLATE] = true;
 
+# use proxy ip addresses -- we’re behind (at least) one reverse proxy that sets X-Forwarded-For
+$wgUsePrivateIPs = true;
+# ingress haproxy
+$wgCdnServersNoPurge = [ '10.140.0.1' ];
+