DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix X-Forwarded-Proto based on proxy-protocol server port

Browse source
This commit is contained in:
Ilya Nemakov 2020-02-09 21:14:05 +03:00
parent e5aaf15639
commit 46a3e0a6fd
3 changed files with 41 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
internal/ingress/controller/template/template.go
View file

@ -275,6 +275,7 @@ func configForLua(input interface{}) string {
return fmt.Sprintf(`{ return fmt.Sprintf(`{
use_forwarded_headers = %t, use_forwarded_headers = %t,
use_proxy_protocol = %t,
is_ssl_passthrough_enabled = %t, is_ssl_passthrough_enabled = %t,
http_redirect_code = %v, http_redirect_code = %v,
listen_ports = { ssl_proxy = "%v", https = "%v" }, listen_ports = { ssl_proxy = "%v", https = "%v" },
@ -285,6 +286,7 @@ func configForLua(input interface{}) string {
hsts_preload = %t, hsts_preload = %t,
}`, }`,
all.Cfg.UseForwardedHeaders, all.Cfg.UseForwardedHeaders,
all.Cfg.UseProxyProtocol,
all.IsSSLPassthroughEnabled, all.IsSSLPassthroughEnabled,
all.Cfg.HTTPRedirectCode, all.Cfg.HTTPRedirectCode,
all.ListenPorts.SSLProxy, all.ListenPorts.SSLProxy,

6
rootfs/etc/nginx/lua/lua_ingress.lua
View file

@ -123,6 +123,12 @@ function _M.rewrite(location_config)
end end
end end
if config.use_proxy_protocol then
if ngx.var.proxy_protocol_server_port == "443" then
ngx.var.pass_access_scheme = "https"
end
end
ngx.var.pass_port = ngx.var.pass_server_port ngx.var.pass_port = ngx.var.pass_server_port
if config.is_ssl_passthrough_enabled then if config.is_ssl_passthrough_enabled then
if ngx.var.pass_server_port == config.listen_ports.ssl_proxy then if ngx.var.pass_server_port == config.listen_ports.ssl_proxy then

33
test/e2e/settings/proxy_protocol.go
View file

@ -69,6 +69,39 @@ var _ = framework.IngressNginxDescribe("Proxy Protocol", func() {
body := string(data) body := string(data)
Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol"))) Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=1234"))) Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=1234")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=http")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1")))
})
It("should respect proto passed by the PROXY Protocol server port", func() {
host := "proxy-protocol"
f.UpdateNginxConfigMapData(setting, "true")
f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil))
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "server_name proxy-protocol") &&
strings.Contains(server, "listen 80 proxy_protocol")
})
ip := f.GetNginxIP()
conn, err := net.Dial("tcp", net.JoinHostPort(ip, "80"))
Expect(err).NotTo(HaveOccurred(), "unexpected error creating connection to %s:80", ip)
defer conn.Close()
header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n"
conn.Write([]byte(header))
conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n"))
data, err := ioutil.ReadAll(conn)
Expect(err).NotTo(HaveOccurred(), "unexpected error reading connection data")
body := string(data)
Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", "proxy-protocol")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-port=443")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-proto=https")))
Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1"))) Expect(body).Should(ContainSubstring(fmt.Sprintf("x-forwarded-for=192.168.0.1")))
}) })
}) })