diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 9861377f2..3666defbf 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -1229,18 +1229,17 @@ func commonListenOptions(template config.TemplateConfig, hostname string) string func httpListener(addresses []string, co string, tc config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { - l := make([]string, 0) - l = append(l, "listen") + lo := []string{"listen"} if address == "" { - l = append(l, fmt.Sprintf("%v", tc.ListenPorts.HTTP)) + lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTP)) } else { - l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTP)) + lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTP)) } - l = append(l, co) - l = append(l, ";") - out = append(out, strings.Join(l, " ")) + lo = append(lo, co) + lo = append(lo, ";") + out = append(out, strings.Join(lo, " ")) } return out @@ -1249,38 +1248,35 @@ func httpListener(addresses []string, co string, tc config.TemplateConfig) []str func httpsListener(addresses []string, co string, tc config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { - l := make([]string, 0) - l = append(l, "listen") + lo := []string{"listen"} if tc.IsSSLPassthroughEnabled { if address == "" { - l = append(l, fmt.Sprintf("%v", tc.ListenPorts.SSLProxy)) + lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.SSLProxy)) } else { - l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy)) + lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy)) } - l = append(l, "proxy_protocol") + if !strings.Contains(co, "proxy_protocol") { + lo = append(lo, "proxy_protocol") + } } else { if address == "" { - l = append(l, fmt.Sprintf("%v", tc.ListenPorts.HTTPS)) + lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTPS)) } else { - l = append(l, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTPS)) - } - - if tc.Cfg.UseProxyProtocol { - l = append(l, "proxy_protocol") + lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTPS)) } } - l = append(l, co) - l = append(l, "ssl") + lo = append(lo, co) + lo = append(lo, "ssl") if tc.Cfg.UseHTTP2 { - l = append(l, "http2") + lo = append(lo, "http2") } - l = append(l, ";") - out = append(out, strings.Join(l, " ")) + lo = append(lo, ";") + out = append(out, strings.Join(lo, " ")) } return out diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index fb51f6553..22ab3bdd7 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -17,6 +17,7 @@ limitations under the License. package settings import ( + "crypto/tls" "fmt" "io/ioutil" "net" @@ -103,4 +104,47 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) }) + + ginkgo.It("should enable PROXY Protocol for HTTPS", func() { + host := "proxy-protocol" + + f.UpdateNginxConfigMapData(setting, "true") + + ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)) + tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, + ing.Spec.TLS[0].Hosts, + ing.Spec.TLS[0].SecretName, + ing.Namespace) + assert.Nil(ginkgo.GinkgoT(), err) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "443 proxy_protocol") + }) + + ip := f.GetNginxIP() + + conn, err := net.Dial("tcp", net.JoinHostPort(ip, "443")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error connecting to %v:443", ip) + defer conn.Close() + + _, err = fmt.Fprintf(conn, "PROXY TCP4 192.168.0.1 192.168.0.11 56324 1234\r\n") + assert.Nil(ginkgo.GinkgoT(), err, "writing proxy protocol") + + tlsConn := tls.Client(conn, tlsConfig) + defer tlsConn.Close() + + _, err = tlsConn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "writing HTTP request") + + data, err := ioutil.ReadAll(tlsConn) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") + + body := string(data) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-scheme=https")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + }) })