DevFW-CICD/ingress-nginx-helm
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1489 from maxlaverse/fix_x_forwarded_for

Browse source 
Compute a real `X-Forwarded-For` header
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-10-26 20:45:07 -03:00 committed by GitHub
commit 52ee9d3199
3 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docs/user-guide/configmap.md
View file

@ -72,7 +72,7 @@ _References:_
#### proxy-body-size #### proxy-body-size
Sets the maximum allowed size of the client request body. Sets the maximum allowed size of the client request body.
See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
#### proxy-buffer-size #### proxy-buffer-size
@ -237,7 +237,7 @@ By default this is enabled.
#### map-hash-bucket-size #### map-hash-bucket-size
Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size). Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html). The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html).
#### ssl-buffer-size #### ssl-buffer-size
@ -248,7 +248,7 @@ https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
#### ssl-ciphers #### ssl-ciphers
Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
The ciphers are specified in the format understood by the OpenSSL library. The ciphers are specified in the format understood by the OpenSSL library.
The default cipher list is: The default cipher list is:
@ -336,7 +336,7 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul
#### worker-processes #### worker-processes
Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
The default of "auto" means number of available CPU cores. The default of "auto" means number of available CPU cores.
#### worker-shutdown-timeout #### worker-shutdown-timeout
@ -376,6 +376,10 @@ Default: ""
Adds custom configuration to all the locations in the nginx configuration Adds custom configuration to all the locations in the nginx configuration
Default: "" Default: ""
#### compute-full-forwarded-for
Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
### Opentracing ### Opentracing
#### enable-opentracing #### enable-opentracing

5
pkg/nginx/config/config.go
View file

@ -386,6 +386,10 @@ type Configuration struct {
// Default is X-Forwarded-For // Default is X-Forwarded-For
ForwardedForHeader string `json:"forwarded-for-header,omitempty"` ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
// Append the remote address to the X-Forwarded-For header instead of replacing it
// Default: false
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
// EnableOpentracing enables the nginx Opentracing extension // EnableOpentracing enables the nginx Opentracing extension
// https://github.com/rnburn/nginx-opentracing // https://github.com/rnburn/nginx-opentracing
// By default this is disabled // By default this is disabled
@ -428,6 +432,7 @@ func NewDefault() Configuration {
EnableUnderscoresInHeaders: false, EnableUnderscoresInHeaders: false,
ErrorLogLevel: errorLevel, ErrorLogLevel: errorLevel,
ForwardedForHeader: "X-Forwarded-For", ForwardedForHeader: "X-Forwarded-For",
ComputeFullForwardedFor: false,
HTTP2MaxFieldSize: "4k", HTTP2MaxFieldSize: "4k",
HTTP2MaxHeaderSize: "16k", HTTP2MaxHeaderSize: "16k",
HSTS: true, HSTS: true,

13
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -210,6 +210,15 @@ http {
'' $host; '' $host;
} }
{{ if $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr too soon
map $http_x_forwarded_for $full_x_forwarded_for {
default "$http_x_forwarded_for, $realip_remote_addr";
'' "$realip_remote_addr";
}
{{ end }}
server_name_in_redirect off; server_name_in_redirect off;
port_in_redirect off; port_in_redirect off;
@ -742,7 +751,11 @@ stream {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Real-IP $the_real_ip;
{{ if $all.Cfg.ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
{{ else }}
proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip;
{{ end }}
proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;