Merge pull request #1489 from maxlaverse/fix_x_forwarded_for

Compute a real `X-Forwarded-For` header
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-10-26 20:45:07 -03:00 committed by GitHub
commit 52ee9d3199
3 changed files with 26 additions and 4 deletions

View file

@ -72,7 +72,7 @@ _References:_
#### proxy-body-size #### proxy-body-size
Sets the maximum allowed size of the client request body. Sets the maximum allowed size of the client request body.
See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
#### proxy-buffer-size #### proxy-buffer-size
@ -237,7 +237,7 @@ By default this is enabled.
#### map-hash-bucket-size #### map-hash-bucket-size
Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size). Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html). The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html).
#### ssl-buffer-size #### ssl-buffer-size
@ -248,7 +248,7 @@ https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
#### ssl-ciphers #### ssl-ciphers
Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
The ciphers are specified in the format understood by the OpenSSL library. The ciphers are specified in the format understood by the OpenSSL library.
The default cipher list is: The default cipher list is:
@ -336,7 +336,7 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul
#### worker-processes #### worker-processes
Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
The default of "auto" means number of available CPU cores. The default of "auto" means number of available CPU cores.
#### worker-shutdown-timeout #### worker-shutdown-timeout
@ -376,6 +376,10 @@ Default: ""
Adds custom configuration to all the locations in the nginx configuration Adds custom configuration to all the locations in the nginx configuration
Default: "" Default: ""
#### compute-full-forwarded-for
Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
### Opentracing ### Opentracing
#### enable-opentracing #### enable-opentracing

View file

@ -386,6 +386,10 @@ type Configuration struct {
// Default is X-Forwarded-For // Default is X-Forwarded-For
ForwardedForHeader string `json:"forwarded-for-header,omitempty"` ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
// Append the remote address to the X-Forwarded-For header instead of replacing it
// Default: false
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
// EnableOpentracing enables the nginx Opentracing extension // EnableOpentracing enables the nginx Opentracing extension
// https://github.com/rnburn/nginx-opentracing // https://github.com/rnburn/nginx-opentracing
// By default this is disabled // By default this is disabled
@ -428,6 +432,7 @@ func NewDefault() Configuration {
EnableUnderscoresInHeaders: false, EnableUnderscoresInHeaders: false,
ErrorLogLevel: errorLevel, ErrorLogLevel: errorLevel,
ForwardedForHeader: "X-Forwarded-For", ForwardedForHeader: "X-Forwarded-For",
ComputeFullForwardedFor: false,
HTTP2MaxFieldSize: "4k", HTTP2MaxFieldSize: "4k",
HTTP2MaxHeaderSize: "16k", HTTP2MaxHeaderSize: "16k",
HSTS: true, HSTS: true,

View file

@ -210,6 +210,15 @@ http {
'' $host; '' $host;
} }
{{ if $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr too soon
map $http_x_forwarded_for $full_x_forwarded_for {
default "$http_x_forwarded_for, $realip_remote_addr";
'' "$realip_remote_addr";
}
{{ end }}
server_name_in_redirect off; server_name_in_redirect off;
port_in_redirect off; port_in_redirect off;
@ -742,7 +751,11 @@ stream {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Real-IP $the_real_ip;
{{ if $all.Cfg.ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
{{ else }}
proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip;
{{ end }}
proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;