DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make it work with and without proxy protocol

Browse source
This commit is contained in:
Ricardo Katz 2023-09-10 23:18:08 +00:00
parent 4da8a13614
commit 8c5fe95578
3 changed files with 61 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
internal/ingress/controller/template/template.go
View file

@ -1555,9 +1555,9 @@ func httpsListener(addresses []string, co string, tc *config.TemplateConfig) []s
lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy))
}
if !strings.Contains(co, "proxy_protocol") {
/*if !strings.Contains(co, "proxy_protocol") {
lo = append(lo, "proxy_protocol")
}
}*/
} else {
if address == "" {
lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTPS))

69
rootfs/etc/nginx/njs/passthrough.js
View file

@ -76,7 +76,7 @@ function configureWithData(configdata, s) {
s.warn(`endpoint of ${key} is not string, skipping`)
return;
}
backends[key] = serviceitem.endpoint;
backends[key] = serviceitem;
});
// Clear method is not working, we should verify with NGX folks
@ -90,30 +90,61 @@ function configureWithData(configdata, s) {
}
}
const PROXYSOCKET="unix:/var/run/nginxstreamproxy.sock";
// getBackend fetches the backend given a hostname sent via SNI
function getBackend(s) {
try {
var hostname = s.variables.ssl_preread_server_name;
if (hostname == null || hostname == "undefined" || hostname == "") {
throw("hostname was not provided")
const backendCfg = getBackendEndpoint(s);
if(backendCfg[1]) {
return PROXYSOCKET
}
let backends = ngx.shared.ptbackends.get(KEYNAME)
if (backends == null || backends == "") {
throw('no entry on endpoint map')
}
const backendmap = JSON.parse(backends)
s.warn(JSON.stringify(backendmap))
if (backendmap[hostname] == null || backendmap[hostname] == undefined) {
throw `no endpoint is configured for service ${hostname}"`
}
return backendmap[hostname]
} catch (e) {
return backendCfg[0]
} catch(e) {
s.warn(`error occurred while getting the backend ` +
`sending to default backend: ${e}`)
`sending to default backend: ${e}`)
return "127.0.0.1:442"
}
}
export default {getConfigStatus, configBackends, getBackend};
// getProxiedBackend fetches the backend given a hostname sent via SNI, to be used by proxy_protocol endpoint.
// An error here should be a final error
function getProxiedBackend(s) {
try {
const backend = getBackendEndpoint(s)[0];
return backend;
} catch(e) {
s.warn(`error occurred while getting the backend ` +
`sending to default backend: ${e}`)
s.deny()
}
}
// getBackendEndpoint is the common function to return the endpoint and optinally if it should
// use proxy_protocol from the map
function getBackendEndpoint(s) {
var hostname = s.variables.ssl_preread_server_name;
if (hostname == null || hostname == "undefined" || hostname == "") {
throw("hostname was not provided")
}
let backends = ngx.shared.ptbackends.get(KEYNAME)
if (backends == null || backends == "") {
throw('no entry on endpoint map')
}
const backendmap = JSON.parse(backends)
if (backendmap[hostname] == null || backendmap[hostname] == undefined ||
backendmap[hostname].endpoint == null || backendmap[hostname].endpoint == undefined) {
throw `no endpoint is configured for service ${hostname}"`
}
var isProxy = false
if (typeof backendmap[hostname].use_proxy == "boolean" && backendmap[hostname].use_proxy) {
isProxy = backendmap[hostname].use_proxy
}
return [backendmap[hostname].endpoint, isProxy];
}
export default {getConfigStatus, configBackends, getBackend, getProxiedBackend};

9
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -848,6 +848,15 @@ stream {
return $cfgreturn;
}
{{ if and $all.IsSSLPassthroughEnabled }}
# This server is here just for proxy protocol enabled passthroughs
server {
ssl_preread on;
listen unix:/var/run/nginxstreamproxy.sock;
js_set $proxyupstream passthrough.getProxiedBackend;
proxy_pass $proxyupstream;
proxy_protocol on;
}
server {
# TODO: Remove Hardcode
listen 443;