Fix X-Forwarded-Proto based on proxy-protocol server port

2020-02-09 21:14:05 +03:00 · 2020-02-09 21:14:05 +03:00 · 46a3e0a6fd
commit 46a3e0a6fd
parent e5aaf15639
3 changed files with 41 additions and 0 deletions
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -275,6 +275,7 @@ func configForLua(input interface{}) string {

 	return fmt.Sprintf(`{
 		use_forwarded_headers = %t,
+		use_proxy_protocol = %t,
 		is_ssl_passthrough_enabled = %t,
 		http_redirect_code = %v,
 		listen_ports = { ssl_proxy = "%v", https = "%v" },
@ -285,6 +286,7 @@ func configForLua(input interface{}) string {
 		hsts_preload = %t,
 	}`,
 		all.Cfg.UseForwardedHeaders,
+		all.Cfg.UseProxyProtocol,
 		all.IsSSLPassthroughEnabled,
 		all.Cfg.HTTPRedirectCode,
 		all.ListenPorts.SSLProxy,
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@ -123,6 +123,12 @@ function _M.rewrite(location_config)
    end
  end

+  if config.use_proxy_protocol then
+    if ngx.var.proxy_protocol_server_port == "443" then
+      ngx.var.pass_access_scheme = "https"
+    end
+  end
+
  ngx.var.pass_port = ngx.var.pass_server_port
  if config.is_ssl_passthrough_enabled then
    if ngx.var.pass_server_port == config.listen_ports.ssl_proxy then
--- a/test/e2e/settings/proxy_protocol.go
+++ b/test/e2e/settings/proxy_protocol.go
@ -69,6 +69,39 @@ var _ = framework.IngressNginxDescribe("Proxy Protocol", func() {
 		body := string(data)
 		Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol")))
 		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=1234")))
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=http")))
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1")))
+	})
+
+	It("should respect proto passed by the PROXY Protocol server port", func() {
+		host := "proxy-protocol"
+
+		f.UpdateNginxConfigMapData(setting, "true")
+
+		f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil))
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name proxy-protocol") &&
+					strings.Contains(server, "listen 80 proxy_protocol")
+			})
+
+		ip := f.GetNginxIP()
+
+		conn, err := net.Dial("tcp", net.JoinHostPort(ip, "80"))
+		Expect(err).NotTo(HaveOccurred(), "unexpected error creating connection to %s:80", ip)
+		defer conn.Close()
+
+		header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n"
+		conn.Write([]byte(header))
+		conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
+
+		data, err := ioutil.ReadAll(conn)
+		Expect(err).NotTo(HaveOccurred(), "unexpected error reading connection data")
+		body := string(data)
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol")))
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=443")))
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=https")))
 		Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1")))
 	})
 })