diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index f3b83e4ad..87919eb7a 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -28,14 +28,12 @@ http { {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}} {{ if $cfg.UseProxyProtocol }} real_ip_header proxy_protocol; - {{ else }} - real_ip_header X-Forwarded-For; - {{ end }} real_ip_recursive on; {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }} set_real_ip_from {{ $trusted_ip }}; {{ end }} + {{ end }} {{/* databases used to determine the country depending on the client IP address */}} {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}} @@ -143,6 +141,7 @@ http { '' close; } + {{ if $cfg.UseProxyProtocol }} # trust http_x_forwarded_proto headers correctly indicate ssl offloading map $http_x_forwarded_proto $pass_access_scheme { default $http_x_forwarded_proto; @@ -154,16 +153,24 @@ http { '' $server_port; } - {{ if $cfg.UseProxyProtocol }} map $http_x_forwarded_for $the_real_ip { default $http_x_forwarded_for; '' $proxy_protocol_addr; } {{ else }} - map $http_x_forwarded_for $the_real_ip { - default $http_x_forwarded_for; - '' $realip_remote_addr; + + map $http_x_forwarded_proto $pass_access_scheme { + default $scheme; } + + map $http_x_forwarded_port $pass_server_port { + default $server_port; + } + + map $http_x_forwarded_for $the_real_ip { + default $remote_addr; + } + {{ end }} {{ if $all.IsSSLPassthroughEnabled }} @@ -269,7 +276,7 @@ http { {{ end }} upstream {{ $upstream.Name }} { - # Load balance algorithm; empty for round robin, which is the default + {{/* Load balance algorithm; empty for round robin, which is the default */}} {{ if ne $cfg.LoadBalanceAlgorithm "round_robin" }} {{ $cfg.LoadBalanceAlgorithm }}; {{ end }}