Merge pull request #1489 from maxlaverse/fix_x_forwarded_for
Compute a real `X-Forwarded-For` header
This commit is contained in:
commit
52ee9d3199
3 changed files with 26 additions and 4 deletions
|
@ -72,7 +72,7 @@ _References:_
|
|||
|
||||
#### proxy-body-size
|
||||
|
||||
Sets the maximum allowed size of the client request body.
|
||||
Sets the maximum allowed size of the client request body.
|
||||
See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
|
||||
|
||||
#### proxy-buffer-size
|
||||
|
@ -237,7 +237,7 @@ By default this is enabled.
|
|||
|
||||
#### map-hash-bucket-size
|
||||
|
||||
Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
|
||||
Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
|
||||
The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html).
|
||||
|
||||
#### ssl-buffer-size
|
||||
|
@ -248,7 +248,7 @@ https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
|
|||
|
||||
#### ssl-ciphers
|
||||
|
||||
Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
|
||||
Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
|
||||
The ciphers are specified in the format understood by the OpenSSL library.
|
||||
|
||||
The default cipher list is:
|
||||
|
@ -336,7 +336,7 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul
|
|||
|
||||
#### worker-processes
|
||||
|
||||
Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
|
||||
Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
|
||||
The default of "auto" means number of available CPU cores.
|
||||
|
||||
#### worker-shutdown-timeout
|
||||
|
@ -376,6 +376,10 @@ Default: ""
|
|||
Adds custom configuration to all the locations in the nginx configuration
|
||||
Default: ""
|
||||
|
||||
#### compute-full-forwarded-for
|
||||
|
||||
Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
|
||||
|
||||
### Opentracing
|
||||
|
||||
#### enable-opentracing
|
||||
|
|
|
@ -386,6 +386,10 @@ type Configuration struct {
|
|||
// Default is X-Forwarded-For
|
||||
ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
|
||||
|
||||
// Append the remote address to the X-Forwarded-For header instead of replacing it
|
||||
// Default: false
|
||||
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
|
||||
|
||||
// EnableOpentracing enables the nginx Opentracing extension
|
||||
// https://github.com/rnburn/nginx-opentracing
|
||||
// By default this is disabled
|
||||
|
@ -428,6 +432,7 @@ func NewDefault() Configuration {
|
|||
EnableUnderscoresInHeaders: false,
|
||||
ErrorLogLevel: errorLevel,
|
||||
ForwardedForHeader: "X-Forwarded-For",
|
||||
ComputeFullForwardedFor: false,
|
||||
HTTP2MaxFieldSize: "4k",
|
||||
HTTP2MaxHeaderSize: "16k",
|
||||
HSTS: true,
|
||||
|
|
|
@ -210,6 +210,15 @@ http {
|
|||
'' $host;
|
||||
}
|
||||
|
||||
{{ if $cfg.ComputeFullForwardedFor }}
|
||||
# We can't use $proxy_add_x_forwarded_for because the realip module
|
||||
# replaces the remote_addr too soon
|
||||
map $http_x_forwarded_for $full_x_forwarded_for {
|
||||
default "$http_x_forwarded_for, $realip_remote_addr";
|
||||
'' "$realip_remote_addr";
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
server_name_in_redirect off;
|
||||
port_in_redirect off;
|
||||
|
||||
|
@ -742,7 +751,11 @@ stream {
|
|||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
proxy_set_header X-Real-IP $the_real_ip;
|
||||
{{ if $all.Cfg.ComputeFullForwardedFor }}
|
||||
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
|
||||
{{ else }}
|
||||
proxy_set_header X-Forwarded-For $the_real_ip;
|
||||
{{ end }}
|
||||
proxy_set_header X-Forwarded-Host $best_http_host;
|
||||
proxy_set_header X-Forwarded-Port $pass_port;
|
||||
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
|
||||
|
|
Loading…
Reference in a new issue