Add use-forwarded-headers configmap option.
This commit is contained in:
Dario Nieuwenhuis
parent
3b0d225186
commit
67b253a149
2 changed files with 46 additions and 20 deletions
|
|
@ -427,6 +427,9 @@ type Configuration struct {
|
||||||
// Sets the ipv6 addresses on which the server will accept requests.
|
// Sets the ipv6 addresses on which the server will accept requests.
|
||||||
BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"`
|
BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"`
|
||||||
|
|
||||||
|
// Sets whether to use incoming X-Forwarded headers.
|
||||||
|
UseForwardedHeaders bool `json:"use-forwarded-headers"`
|
||||||
|
|
||||||
// Sets the header field for identifying the originating IP address of a client
|
// Sets the header field for identifying the originating IP address of a client
|
||||||
// Default is X-Forwarded-For
|
// Default is X-Forwarded-For
|
||||||
ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
|
ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
|
||||||
|
|
@ -559,6 +562,7 @@ func NewDefault() Configuration {
|
||||||
EnableDynamicTLSRecords: true,
|
EnableDynamicTLSRecords: true,
|
||||||
EnableUnderscoresInHeaders: false,
|
EnableUnderscoresInHeaders: false,
|
||||||
ErrorLogLevel: errorLevel,
|
ErrorLogLevel: errorLevel,
|
||||||
|
UseForwardedHeaders: false,
|
||||||
ForwardedForHeader: "X-Forwarded-For",
|
ForwardedForHeader: "X-Forwarded-For",
|
||||||
ComputeFullForwardedFor: false,
|
ComputeFullForwardedFor: false,
|
||||||
ProxyAddOriginalUriHeader: true,
|
ProxyAddOriginalUriHeader: true,
|
||||||
|
|
|
||||||
|
|
@ -75,7 +75,10 @@ http {
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
|
|
||||||
|
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
|
||||||
|
{{/* we use the value of the real IP for the geo_ip module */}}
|
||||||
|
{{ if or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol }}
|
||||||
{{ if $cfg.UseProxyProtocol }}
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
|
|
@ -86,6 +89,7 @@ http {
|
||||||
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
||||||
set_real_ip_from {{ $trusted_ip }};
|
set_real_ip_from {{ $trusted_ip }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
{{ if $cfg.UseGeoIP }}
|
{{ if $cfg.UseGeoIP }}
|
||||||
{{/* databases used to determine the country depending on the client IP address */}}
|
{{/* databases used to determine the country depending on the client IP address */}}
|
||||||
|
|
@ -222,7 +226,9 @@ http {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
|
# The following is a sneaky way to do "set $the_real_ip $remote_addr"
|
||||||
|
# Needed because using set is not allowed outside server blocks.
|
||||||
|
map '' $the_real_ip {
|
||||||
{{ if $cfg.UseProxyProtocol }}
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
# Get IP address from Proxy Protocol
|
# Get IP address from Proxy Protocol
|
||||||
default $proxy_protocol_addr;
|
default $proxy_protocol_addr;
|
||||||
|
|
@ -231,12 +237,44 @@ http {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{{ if $cfg.UseForwardedHeaders }}
|
||||||
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
|
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
|
||||||
map $http_x_forwarded_proto $pass_access_scheme {
|
map $http_x_forwarded_proto $pass_access_scheme {
|
||||||
default $http_x_forwarded_proto;
|
default $http_x_forwarded_proto;
|
||||||
'' $scheme;
|
'' $scheme;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_port $pass_server_port {
|
||||||
|
default $http_x_forwarded_port;
|
||||||
|
'' $server_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Obtain best http host
|
||||||
|
map $http_host $this_host {
|
||||||
|
default $http_host;
|
||||||
|
'' $host;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_host $best_http_host {
|
||||||
|
default $http_x_forwarded_host;
|
||||||
|
'' $this_host;
|
||||||
|
}
|
||||||
|
{{ else }}
|
||||||
|
map '' $pass_access_scheme {
|
||||||
|
default $scheme;
|
||||||
|
}
|
||||||
|
|
||||||
|
map '' $pass_server_port {
|
||||||
|
default $server_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Obtain best http host
|
||||||
|
map $http_host $best_http_host {
|
||||||
|
default $http_host;
|
||||||
|
'' $host;
|
||||||
|
}
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
# validate $pass_access_scheme and $scheme are http to force a redirect
|
# validate $pass_access_scheme and $scheme are http to force a redirect
|
||||||
map "$scheme:$pass_access_scheme" $redirect_to_https {
|
map "$scheme:$pass_access_scheme" $redirect_to_https {
|
||||||
default 0;
|
default 0;
|
||||||
|
|
@ -244,11 +282,6 @@ http {
|
||||||
"https:http" 1;
|
"https:http" 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
map $http_x_forwarded_port $pass_server_port {
|
|
||||||
default $http_x_forwarded_port;
|
|
||||||
'' $server_port;
|
|
||||||
}
|
|
||||||
|
|
||||||
{{ if $all.IsSSLPassthroughEnabled }}
|
{{ if $all.IsSSLPassthroughEnabled }}
|
||||||
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
|
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
|
||||||
map $pass_server_port $pass_port {
|
map $pass_server_port $pass_port {
|
||||||
|
|
@ -262,17 +295,6 @@ http {
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
# Obtain best http host
|
|
||||||
map $http_host $this_host {
|
|
||||||
default $http_host;
|
|
||||||
'' $host;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $http_x_forwarded_host $best_http_host {
|
|
||||||
default $http_x_forwarded_host;
|
|
||||||
'' $this_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
|
# Reverse proxies can detect if a client provides a X-Request-ID header, and pass it on to the backend server.
|
||||||
# If no such header is provided, it can provide a random value.
|
# If no such header is provided, it can provide a random value.
|
||||||
map $http_x_request_id $req_id {
|
map $http_x_request_id $req_id {
|
||||||
|
|
@ -282,7 +304,7 @@ http {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
{{ if $cfg.ComputeFullForwardedFor }}
|
{{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
|
||||||
# We can't use $proxy_add_x_forwarded_for because the realip module
|
# We can't use $proxy_add_x_forwarded_for because the realip module
|
||||||
# replaces the remote_addr too soon
|
# replaces the remote_addr too soon
|
||||||
map $http_x_forwarded_for $full_x_forwarded_for {
|
map $http_x_forwarded_for $full_x_forwarded_for {
|
||||||
|
|
@ -1028,7 +1050,7 @@ stream {
|
||||||
|
|
||||||
{{ $proxySetHeader }} X-Request-ID $req_id;
|
{{ $proxySetHeader }} X-Request-ID $req_id;
|
||||||
{{ $proxySetHeader }} X-Real-IP $the_real_ip;
|
{{ $proxySetHeader }} X-Real-IP $the_real_ip;
|
||||||
{{ if $all.Cfg.ComputeFullForwardedFor }}
|
{{ if and $all.Cfg.UseForwardedHeaders $all.Cfg.ComputeFullForwardedFor }}
|
||||||
{{ $proxySetHeader }} X-Forwarded-For $full_x_forwarded_for;
|
{{ $proxySetHeader }} X-Forwarded-For $full_x_forwarded_for;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
{{ $proxySetHeader }} X-Forwarded-For $the_real_ip;
|
{{ $proxySetHeader }} X-Forwarded-For $the_real_ip;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue