From 4bd4bf3be65eb13166771d375991ccccc3fff664 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 11 May 2017 15:04:19 -0300 Subject: [PATCH] Fix remote address in log when protocol is https --- controllers/nginx/pkg/cmd/controller/tcp.go | 23 ++++++++----------- controllers/nginx/pkg/config/config.go | 7 ++---- .../rootfs/etc/nginx/template/nginx.tmpl | 16 ++++++++++++- 3 files changed, 27 insertions(+), 19 deletions(-) diff --git a/controllers/nginx/pkg/cmd/controller/tcp.go b/controllers/nginx/pkg/cmd/controller/tcp.go index 8a95fd091..e78192b38 100644 --- a/controllers/nginx/pkg/cmd/controller/tcp.go +++ b/controllers/nginx/pkg/cmd/controller/tcp.go @@ -10,9 +10,9 @@ import ( ) type server struct { - Hostname string - IP string - Port int + Hostname string + IP string + Port int ProxyProtocol bool } @@ -41,19 +41,16 @@ func (p *proxy) Handle(conn net.Conn) { return } - var proxy *server + proxy := p.Default hostname, err := parser.GetHostname(data[:]) if err == nil { - glog.V(3).Infof("parsed hostname from TLS Client Hello: %s", hostname) + glog.V(4).Infof("parsed hostname from TLS Client Hello: %s", hostname) proxy = p.Get(hostname) - if proxy == nil { - return - } - } else { - proxy = p.Default - if proxy == nil { - return - } + } + + if proxy == nil { + glog.V(4).Infof("there is no configured proxy for SSL connections") + return } clientConn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", proxy.IP, proxy.Port)) diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go index 8c7b67758..98017d32e 100644 --- a/controllers/nginx/pkg/config/config.go +++ b/controllers/nginx/pkg/config/config.go @@ -48,7 +48,7 @@ const ( gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" - logFormatUpstream = `%v - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status` + logFormatUpstream = `%v - [$the_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status` logFormatStream = `[$time_local] $protocol $status $bytes_sent $bytes_received $session_time` @@ -332,10 +332,7 @@ func NewDefault() Configuration { // is enabled. func (cfg Configuration) BuildLogFormatUpstream() string { if cfg.LogFormatUpstream == logFormatUpstream { - if cfg.UseProxyProtocol { - return fmt.Sprintf(cfg.LogFormatUpstream, "$proxy_protocol_addr") - } - return fmt.Sprintf(cfg.LogFormatUpstream, "$remote_addr") + return fmt.Sprintf(cfg.LogFormatUpstream, "$the_x_forwarded_for") } return cfg.LogFormatUpstream diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index ba4d8f78e..505a8b537 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -85,6 +85,9 @@ http { server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }}; + # disable warnings + uninitialized_variable_warn off; + log_format upstreaminfo '{{ buildLogFormatUpstream $cfg }}'; {{/* map urls that should not appear in access.log */}} @@ -127,6 +130,16 @@ http { '' $server_port; } + map $pass_access_scheme $the_x_forwarded_for { + default $remote_addr; + https $proxy_protocol_addr; + } + + map $pass_access_scheme $the_real_ip { + default $remote_addr; + https $proxy_protocol_addr; + } + # map port 442 to 443 for header X-Forwarded-Port map $pass_server_port $pass_port { 442 443; @@ -352,7 +365,8 @@ http { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $the_real_ip; + proxy_set_header X-Forwarded-For $the_x_forwarded_for; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme;