Merge pull request #1489 from maxlaverse/fix_x_forwarded_for

Compute a real `X-Forwarded-For` header
2017-10-26 20:45:07 -03:00 · 2017-10-26 20:45:07 -03:00 · 52ee9d3199
commit 52ee9d3199
parent 56b28ccf4c bfe20306a0
3 changed files with 26 additions and 4 deletions
--- a/docs/user-guide/configmap.md
+++ b/docs/user-guide/configmap.md
@ -72,7 +72,7 @@ _References:_

 #### proxy-body-size

-Sets the maximum allowed size of the client request body. 
+Sets the maximum allowed size of the client request body.
 See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).

 #### proxy-buffer-size
@ -237,7 +237,7 @@ By default this is enabled.

 #### map-hash-bucket-size

-Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size). 
+Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
 The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html).

 #### ssl-buffer-size
@ -248,7 +248,7 @@ https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/

 #### ssl-ciphers

-Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. 
+Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
 The ciphers are specified in the format understood by the OpenSSL library.

 The default cipher list is:
@ -336,7 +336,7 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul

 #### worker-processes

-Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). 
+Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
 The default of "auto" means number of available CPU cores.

 #### worker-shutdown-timeout
@ -376,6 +376,10 @@ Default: ""
 Adds custom configuration to all the locations in the nginx configuration
 Default: ""

+#### compute-full-forwarded-for
+
+Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
+
 ### Opentracing

 #### enable-opentracing
--- a/pkg/nginx/config/config.go
+++ b/pkg/nginx/config/config.go
@ -386,6 +386,10 @@ type Configuration struct {
 	// Default is X-Forwarded-For
 	ForwardedForHeader string `json:"forwarded-for-header,omitempty"`

+	// Append the remote address to the X-Forwarded-For header instead of replacing it
+	// Default: false
+	ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
+
 	// EnableOpentracing enables the nginx Opentracing extension
 	// https://github.com/rnburn/nginx-opentracing
 	// By default this is disabled
@ -428,6 +432,7 @@ func NewDefault() Configuration {
 		EnableUnderscoresInHeaders: false,
 		ErrorLogLevel:              errorLevel,
 		ForwardedForHeader:         "X-Forwarded-For",
+		ComputeFullForwardedFor:    false,
 		HTTP2MaxFieldSize:          "4k",
 		HTTP2MaxHeaderSize:         "16k",
 		HSTS:                       true,
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -210,6 +210,15 @@ http {
        ''               $host;
    }

+    {{ if $cfg.ComputeFullForwardedFor }}
+    # We can't use $proxy_add_x_forwarded_for because the realip module
+    # replaces the remote_addr too soon
+    map $http_x_forwarded_for $full_x_forwarded_for {
+        default          "$http_x_forwarded_for, $realip_remote_addr";
+        ''               "$realip_remote_addr";
+    }
+    {{ end }}
+
    server_name_in_redirect off;
    port_in_redirect        off;

@ -742,7 +751,11 @@ stream {
            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Real-IP              $the_real_ip;
+            {{ if $all.Cfg.ComputeFullForwardedFor }}
+            proxy_set_header X-Forwarded-For        $full_x_forwarded_for;
+            {{ else }}
            proxy_set_header X-Forwarded-For        $the_real_ip;
+            {{ end }}
            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;