Merge 6c2b58817e into 5a16a7aaa0
This commit is contained in:
Dario Nieuwenhuis
GitHub
commit
022c408329
2 changed files with 40 additions and 19 deletions
|
|
@ -400,6 +400,9 @@ type Configuration struct {
|
||||||
// Sets the ipv6 addresses on which the server will accept requests.
|
// Sets the ipv6 addresses on which the server will accept requests.
|
||||||
BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"`
|
BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"`
|
||||||
|
|
||||||
|
// Sets whether to use incoming X-Forwarded headers.
|
||||||
|
UseForwardedHeaders bool `json:"use-forwarded-headers"`
|
||||||
|
|
||||||
// Sets the header field for identifying the originating IP address of a client
|
// Sets the header field for identifying the originating IP address of a client
|
||||||
// Default is X-Forwarded-For
|
// Default is X-Forwarded-For
|
||||||
ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
|
ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
|
||||||
|
|
@ -482,6 +485,7 @@ func NewDefault() Configuration {
|
||||||
EnableDynamicTLSRecords: true,
|
EnableDynamicTLSRecords: true,
|
||||||
EnableUnderscoresInHeaders: false,
|
EnableUnderscoresInHeaders: false,
|
||||||
ErrorLogLevel: errorLevel,
|
ErrorLogLevel: errorLevel,
|
||||||
|
UseForwardedHeaders: true,
|
||||||
ForwardedForHeader: "X-Forwarded-For",
|
ForwardedForHeader: "X-Forwarded-For",
|
||||||
ComputeFullForwardedFor: false,
|
ComputeFullForwardedFor: false,
|
||||||
HTTP2MaxFieldSize: "4k",
|
HTTP2MaxFieldSize: "4k",
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,9 @@ events {
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
|
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
|
||||||
|
{{/* we use the value of the real IP for the geo_ip module */}}
|
||||||
|
{{ if or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol }}
|
||||||
{{ if $cfg.UseProxyProtocol }}
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
|
|
@ -53,6 +55,7 @@ http {
|
||||||
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
||||||
set_real_ip_from {{ $trusted_ip }};
|
set_real_ip_from {{ $trusted_ip }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
{{/* databases used to determine the country depending on the client IP address */}}
|
{{/* databases used to determine the country depending on the client IP address */}}
|
||||||
{{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
|
{{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
|
||||||
|
|
@ -186,7 +189,7 @@ http {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
|
map 'dummy' $the_real_ip {
|
||||||
{{ if $cfg.UseProxyProtocol }}
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
# Get IP address from Proxy Protocol
|
# Get IP address from Proxy Protocol
|
||||||
default $proxy_protocol_addr;
|
default $proxy_protocol_addr;
|
||||||
|
|
@ -195,19 +198,13 @@ http {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{{ if $cfg.UseForwardedHeaders }}
|
||||||
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
|
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
|
||||||
map $http_x_forwarded_proto $pass_access_scheme {
|
map $http_x_forwarded_proto $pass_access_scheme {
|
||||||
default $http_x_forwarded_proto;
|
default $http_x_forwarded_proto;
|
||||||
'' $scheme;
|
'' $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
# validate $pass_access_scheme and $scheme are http to force a redirect
|
|
||||||
map "$scheme:$pass_access_scheme" $redirect_to_https {
|
|
||||||
default 0;
|
|
||||||
"http:http" 1;
|
|
||||||
"http:https" 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $http_x_forwarded_port $pass_server_port {
|
map $http_x_forwarded_port $pass_server_port {
|
||||||
default $http_x_forwarded_port;
|
default $http_x_forwarded_port;
|
||||||
'' $server_port;
|
'' $server_port;
|
||||||
|
|
@ -217,6 +214,26 @@ http {
|
||||||
default $http_x_forwarded_host;
|
default $http_x_forwarded_host;
|
||||||
'' $this_host;
|
'' $this_host;
|
||||||
}
|
}
|
||||||
|
{{ else }}
|
||||||
|
map 'dummy' $pass_access_scheme {
|
||||||
|
default $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
map 'dummy' $pass_server_port {
|
||||||
|
default $server_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
map 'dummy' $best_http_host {
|
||||||
|
default $this_host;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# validate $pass_access_scheme and $scheme are http to force a redirect
|
||||||
|
map "$scheme:$pass_access_scheme" $redirect_to_https {
|
||||||
|
default 0;
|
||||||
|
"http:http" 1;
|
||||||
|
"http:https" 1;
|
||||||
|
}
|
||||||
|
|
||||||
{{ if $all.IsSSLPassthroughEnabled }}
|
{{ if $all.IsSSLPassthroughEnabled }}
|
||||||
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
|
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
|
||||||
|
|
@ -237,17 +254,21 @@ http {
|
||||||
'' $host;
|
'' $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
{{ if $cfg.ComputeFullForwardedFor }}
|
{{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
|
||||||
# We can't use $proxy_add_x_forwarded_for because the realip module
|
# We can't use $proxy_add_x_forwarded_for because the realip module
|
||||||
# replaces the remote_addr too soon
|
# replaces the remote_addr too soon
|
||||||
map $http_x_forwarded_for $full_x_forwarded_for {
|
map {{ buildForwardedFor $all.Cfg.ForwardedForHeader }} $full_x_forwarded_for {
|
||||||
{{ if $all.Cfg.UseProxyProtocol }}
|
{{ if $all.Cfg.UseProxyProtocol }}
|
||||||
default "$http_x_forwarded_for, $proxy_protocol_addr";
|
default "{{ buildForwardedFor $all.Cfg.ForwardedForHeader }}, $proxy_protocol_addr";
|
||||||
'' "$proxy_protocol_addr";
|
'' "$proxy_protocol_addr";
|
||||||
{{ else }}
|
{{ else }}
|
||||||
default "$http_x_forwarded_for, $realip_remote_addr";
|
default "{{ buildForwardedFor $all.Cfg.ForwardedForHeader }}, $realip_remote_addr";
|
||||||
'' "$realip_remote_addr";
|
'' "$realip_remote_addr";
|
||||||
{{ end}}
|
{{ end }}
|
||||||
|
}
|
||||||
|
{{ else }}
|
||||||
|
map 'dummy' $full_x_forwarded_for {
|
||||||
|
default $remote_addr;
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
|
@ -807,11 +828,7 @@ stream {
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $the_real_ip;
|
proxy_set_header X-Real-IP $the_real_ip;
|
||||||
{{ if $all.Cfg.ComputeFullForwardedFor }}
|
|
||||||
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
|
||||||
{{ else }}
|
|
||||||
proxy_set_header X-Forwarded-For $the_real_ip;
|
|
||||||
{{ end }}
|
|
||||||
proxy_set_header X-Forwarded-Host $best_http_host;
|
proxy_set_header X-Forwarded-Host $best_http_host;
|
||||||
proxy_set_header X-Forwarded-Port $pass_port;
|
proxy_set_header X-Forwarded-Port $pass_port;
|
||||||
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
|
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue