DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make it work with and without proxy protocol

Browse source
This commit is contained in:
Ricardo Katz 2023-09-10 23:18:08 +00:00
parent 4da8a13614
commit 8c5fe95578
3 changed files with 61 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
internal/ingress/controller/template/template.go
View file

@ -1555,9 +1555,9 @@ func httpsListener(addresses []string, co string, tc *config.TemplateConfig) []s
lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy)) lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.SSLProxy))
} }
if !strings.Contains(co, "proxy_protocol") { /*if !strings.Contains(co, "proxy_protocol") {
lo = append(lo, "proxy_protocol") lo = append(lo, "proxy_protocol")
} }*/
} else { } else {
if address == "" { if address == "" {
lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTPS)) lo = append(lo, fmt.Sprintf("%v", tc.ListenPorts.HTTPS))

69
rootfs/etc/nginx/njs/passthrough.js
View file

@ -76,7 +76,7 @@ function configureWithData(configdata, s) {
s.warn(`endpoint of ${key} is not string, skipping`) s.warn(`endpoint of ${key} is not string, skipping`)
return; return;
} }
backends[key] = serviceitem.endpoint; backends[key] = serviceitem;
}); });
// Clear method is not working, we should verify with NGX folks // Clear method is not working, we should verify with NGX folks
@ -90,30 +90,61 @@ function configureWithData(configdata, s) {
} }
} }
const PROXYSOCKET="unix:/var/run/nginxstreamproxy.sock";
// getBackend fetches the backend given a hostname sent via SNI // getBackend fetches the backend given a hostname sent via SNI
function getBackend(s) { function getBackend(s) {
try { try {
var hostname = s.variables.ssl_preread_server_name; const backendCfg = getBackendEndpoint(s);
if (hostname == null || hostname == "undefined" || hostname == "") { if(backendCfg[1]) {
throw("hostname was not provided") return PROXYSOCKET
} }
let backends = ngx.shared.ptbackends.get(KEYNAME) return backendCfg[0]
if (backends == null || backends == "") { } catch(e) {
throw('no entry on endpoint map')
}
const backendmap = JSON.parse(backends)
s.warn(JSON.stringify(backendmap))
if (backendmap[hostname] == null || backendmap[hostname] == undefined) {
throw `no endpoint is configured for service ${hostname}"`
}
return backendmap[hostname]
} catch (e) {
s.warn(`error occurred while getting the backend ` + s.warn(`error occurred while getting the backend ` +
`sending to default backend: ${e}`) `sending to default backend: ${e}`)
return "127.0.0.1:442" return "127.0.0.1:442"
} }
} }
export default {getConfigStatus, configBackends, getBackend}; // getProxiedBackend fetches the backend given a hostname sent via SNI, to be used by proxy_protocol endpoint.
// An error here should be a final error
function getProxiedBackend(s) {
try {
const backend = getBackendEndpoint(s)[0];
return backend;
} catch(e) {
s.warn(`error occurred while getting the backend ` +
`sending to default backend: ${e}`)
s.deny()
}
}
// getBackendEndpoint is the common function to return the endpoint and optinally if it should
// use proxy_protocol from the map
function getBackendEndpoint(s) {
var hostname = s.variables.ssl_preread_server_name;
if (hostname == null || hostname == "undefined" || hostname == "") {
throw("hostname was not provided")
}
let backends = ngx.shared.ptbackends.get(KEYNAME)
if (backends == null || backends == "") {
throw('no entry on endpoint map')
}
const backendmap = JSON.parse(backends)
if (backendmap[hostname] == null || backendmap[hostname] == undefined ||
backendmap[hostname].endpoint == null || backendmap[hostname].endpoint == undefined) {
throw `no endpoint is configured for service ${hostname}"`
}
var isProxy = false
if (typeof backendmap[hostname].use_proxy == "boolean" && backendmap[hostname].use_proxy) {
isProxy = backendmap[hostname].use_proxy
}
return [backendmap[hostname].endpoint, isProxy];
}
export default {getConfigStatus, configBackends, getBackend, getProxiedBackend};

9
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -848,6 +848,15 @@ stream {
return $cfgreturn; return $cfgreturn;
} }
{{ if and $all.IsSSLPassthroughEnabled }} {{ if and $all.IsSSLPassthroughEnabled }}
# This server is here just for proxy protocol enabled passthroughs
server {
ssl_preread on;
listen unix:/var/run/nginxstreamproxy.sock;
js_set $proxyupstream passthrough.getProxiedBackend;
proxy_pass $proxyupstream;
proxy_protocol on;
}
server { server {
# TODO: Remove Hardcode # TODO: Remove Hardcode
listen 443; listen 443;