DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make X-Forwarded-For computation configurable

Browse source
This commit is contained in:
Max Laverse 2017-10-09 11:10:58 +02:00
parent cea3c7eb1b
commit 65ba0c15fd
3 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
configuration.md
View file

@ -568,6 +568,7 @@ Default: ""
**location-snippet:** adds custom configuration to all the locations in the nginx configuration **location-snippet:** adds custom configuration to all the locations in the nginx configuration
Default: "" Default: ""
**compute-full-forwarded-for:** Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
### Default configuration options ### Default configuration options
@ -625,6 +626,7 @@ The following table shows the options, the default value and a description.
|worker-processes|number of CPUs| |worker-processes|number of CPUs|
|limit-conn-zone-variable|$binary_remote_addr| |limit-conn-zone-variable|$binary_remote_addr|
|bind-address|| |bind-address||
|compute-full-forwarded-for|"false"|
### Websockets ### Websockets

5
pkg/nginx/config/config.go
View file

@ -378,6 +378,10 @@ type Configuration struct {
// Default is X-Forwarded-For // Default is X-Forwarded-For
ForwardedForHeader string `json:"forwarded-for-header,omitempty"` ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
// Append the remote address to the X-Forwarded-For header instead of replacing it
// Default: false
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
// EnableOpentracing enables the nginx Opentracing extension // EnableOpentracing enables the nginx Opentracing extension
// https://github.com/rnburn/nginx-opentracing // https://github.com/rnburn/nginx-opentracing
// By default this is disabled // By default this is disabled
@ -420,6 +424,7 @@ func NewDefault() Configuration {
EnableUnderscoresInHeaders: false, EnableUnderscoresInHeaders: false,
ErrorLogLevel: errorLevel, ErrorLogLevel: errorLevel,
ForwardedForHeader: "X-Forwarded-For", ForwardedForHeader: "X-Forwarded-For",
ComputeFullForwardedFor: false,
HTTP2MaxFieldSize: "4k", HTTP2MaxFieldSize: "4k",
HTTP2MaxHeaderSize: "16k", HTTP2MaxHeaderSize: "16k",
HSTS: true, HSTS: true,

10
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -195,12 +195,14 @@ http {
'' $host; '' $host;
} }
{{ if $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module # We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr to soon # replaces the remote_addr to soon
map $http_x_forwarded_for $the_real_x_forwarded_for { map $http_x_forwarded_for $full_x_forwarded_for {
default "$http_x_forwarded_for, $realip_remote_addr"; default "$http_x_forwarded_for, $realip_remote_addr";
'' "$realip_remote_addr"; '' "$realip_remote_addr";
} }
{{ end }}
server_name_in_redirect off; server_name_in_redirect off;
port_in_redirect off; port_in_redirect off;
@ -756,7 +758,11 @@ stream {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Real-IP $the_real_ip;
proxy_set_header X-Forwarded-For $the_real_x_forwarded_for; {{ if $all.Cfg.ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
{{ else }}
proxy_set_header X-Forwarded-For $the_real_ip;
{{ end }}
proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;