From 46a3e0a6fdbee00a9719041b53d36ba48c1956b7 Mon Sep 17 00:00:00 2001 From: Ilya Nemakov Date: Sun, 9 Feb 2020 21:14:05 +0300 Subject: [PATCH] Fix X-Forwarded-Proto based on proxy-protocol server port --- .../ingress/controller/template/template.go | 2 ++ rootfs/etc/nginx/lua/lua_ingress.lua | 6 ++++ test/e2e/settings/proxy_protocol.go | 33 +++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 3ffe91cb1..7939565c3 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -275,6 +275,7 @@ func configForLua(input interface{}) string { return fmt.Sprintf(`{ use_forwarded_headers = %t, + use_proxy_protocol = %t, is_ssl_passthrough_enabled = %t, http_redirect_code = %v, listen_ports = { ssl_proxy = "%v", https = "%v" }, @@ -285,6 +286,7 @@ func configForLua(input interface{}) string { hsts_preload = %t, }`, all.Cfg.UseForwardedHeaders, + all.Cfg.UseProxyProtocol, all.IsSSLPassthroughEnabled, all.Cfg.HTTPRedirectCode, all.ListenPorts.SSLProxy, diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua index 83106425a..2d84ce141 100644 --- a/rootfs/etc/nginx/lua/lua_ingress.lua +++ b/rootfs/etc/nginx/lua/lua_ingress.lua @@ -123,6 +123,12 @@ function _M.rewrite(location_config) end end + if config.use_proxy_protocol then + if ngx.var.proxy_protocol_server_port == "443" then + ngx.var.pass_access_scheme = "https" + end + end + ngx.var.pass_port = ngx.var.pass_server_port if config.is_ssl_passthrough_enabled then if ngx.var.pass_server_port == config.listen_ports.ssl_proxy then diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index fc696313d..e0348c4ed 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -69,6 +69,39 @@ var _ = framework.IngressNginxDescribe("Proxy Protocol", func() { body := string(data) Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol"))) Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=1234"))) + Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=http"))) + Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1"))) + }) + + It("should respect proto passed by the PROXY Protocol server port", func() { + host := "proxy-protocol" + + f.UpdateNginxConfigMapData(setting, "true") + + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name proxy-protocol") && + strings.Contains(server, "listen 80 proxy_protocol") + }) + + ip := f.GetNginxIP() + + conn, err := net.Dial("tcp", net.JoinHostPort(ip, "80")) + Expect(err).NotTo(HaveOccurred(), "unexpected error creating connection to %s:80", ip) + defer conn.Close() + + header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n" + conn.Write([]byte(header)) + conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + + data, err := ioutil.ReadAll(conn) + Expect(err).NotTo(HaveOccurred(), "unexpected error reading connection data") + body := string(data) + Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol"))) + Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=443"))) + Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=https"))) Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1"))) }) })