Merge pull request #921 from RemingtonReackhof/list-proxy-real-ip-cidr
Make proxy-real-ip-cidr a comma separated list
This commit is contained in:
Manuel Alejandro de Brito Fontes
GitHub
commit
b308be5333
4 changed files with 20 additions and 6 deletions
|
|
@ -43,9 +43,6 @@ const (
|
||||||
// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
|
// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
|
||||||
hstsMaxAge = "15724800"
|
hstsMaxAge = "15724800"
|
||||||
|
|
||||||
// If UseProxyProtocol is enabled defIPCIDR defines the default the IP/network address of your external load balancer
|
|
||||||
defIPCIDR = "0.0.0.0/0"
|
|
||||||
|
|
||||||
gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
|
gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
|
||||||
|
|
||||||
logFormatUpstream = `%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
|
logFormatUpstream = `%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
|
||||||
|
|
@ -198,7 +195,7 @@ type Configuration struct {
|
||||||
|
|
||||||
// If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address
|
// If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address
|
||||||
// of your external load balancer
|
// of your external load balancer
|
||||||
ProxyRealIPCIDR string `json:"proxy-real-ip-cidr,omitempty"`
|
ProxyRealIPCIDR []string `json:"proxy-real-ip-cidr,omitempty"`
|
||||||
|
|
||||||
// Sets the name of the configmap that contains the headers to pass to the backend
|
// Sets the name of the configmap that contains the headers to pass to the backend
|
||||||
ProxySetHeaders string `json:"proxy-set-headers,omitempty"`
|
ProxySetHeaders string `json:"proxy-set-headers,omitempty"`
|
||||||
|
|
@ -305,6 +302,8 @@ type Configuration struct {
|
||||||
|
|
||||||
// NewDefault returns the default nginx configuration
|
// NewDefault returns the default nginx configuration
|
||||||
func NewDefault() Configuration {
|
func NewDefault() Configuration {
|
||||||
|
defIPCIDR := make([]string, 0)
|
||||||
|
defIPCIDR = append(defIPCIDR, "0.0.0.0/0")
|
||||||
cfg := Configuration{
|
cfg := Configuration{
|
||||||
AllowBackendServerHeader: false,
|
AllowBackendServerHeader: false,
|
||||||
ClientHeaderBufferSize: "1k",
|
ClientHeaderBufferSize: "1k",
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ const (
|
||||||
customHTTPErrors = "custom-http-errors"
|
customHTTPErrors = "custom-http-errors"
|
||||||
skipAccessLogUrls = "skip-access-log-urls"
|
skipAccessLogUrls = "skip-access-log-urls"
|
||||||
whitelistSourceRange = "whitelist-source-range"
|
whitelistSourceRange = "whitelist-source-range"
|
||||||
|
proxyRealIPCIDR = "proxy-real-ip-cidr"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ReadConfig obtains the configuration defined by the user merged with the defaults.
|
// ReadConfig obtains the configuration defined by the user merged with the defaults.
|
||||||
|
|
@ -45,6 +46,7 @@ func ReadConfig(src map[string]string) config.Configuration {
|
||||||
errors := make([]int, 0)
|
errors := make([]int, 0)
|
||||||
skipUrls := make([]string, 0)
|
skipUrls := make([]string, 0)
|
||||||
whitelist := make([]string, 0)
|
whitelist := make([]string, 0)
|
||||||
|
proxylist := make([]string, 0)
|
||||||
|
|
||||||
if val, ok := conf[customHTTPErrors]; ok {
|
if val, ok := conf[customHTTPErrors]; ok {
|
||||||
delete(conf, customHTTPErrors)
|
delete(conf, customHTTPErrors)
|
||||||
|
|
@ -65,11 +67,18 @@ func ReadConfig(src map[string]string) config.Configuration {
|
||||||
delete(conf, whitelistSourceRange)
|
delete(conf, whitelistSourceRange)
|
||||||
whitelist = append(whitelist, strings.Split(val, ",")...)
|
whitelist = append(whitelist, strings.Split(val, ",")...)
|
||||||
}
|
}
|
||||||
|
if val, ok := conf[proxyRealIPCIDR]; ok {
|
||||||
|
delete(conf, proxyRealIPCIDR)
|
||||||
|
proxylist = append(proxylist, strings.Split(val, ",")...)
|
||||||
|
} else {
|
||||||
|
proxylist = append(proxylist, "0.0.0.0/0")
|
||||||
|
}
|
||||||
|
|
||||||
to := config.NewDefault()
|
to := config.NewDefault()
|
||||||
to.CustomHTTPErrors = filterErrors(errors)
|
to.CustomHTTPErrors = filterErrors(errors)
|
||||||
to.SkipAccessLogURLs = skipUrls
|
to.SkipAccessLogURLs = skipUrls
|
||||||
to.WhitelistSourceRange = whitelist
|
to.WhitelistSourceRange = whitelist
|
||||||
|
to.ProxyRealIPCIDR = proxylist
|
||||||
|
|
||||||
config := &mapstructure.DecoderConfig{
|
config := &mapstructure.DecoderConfig{
|
||||||
Metadata: nil,
|
Metadata: nil,
|
||||||
|
|
|
||||||
|
|
@ -42,6 +42,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
|
||||||
"use-gzip": "true",
|
"use-gzip": "true",
|
||||||
"enable-dynamic-tls-records": "false",
|
"enable-dynamic-tls-records": "false",
|
||||||
"gzip-types": "text/html",
|
"gzip-types": "text/html",
|
||||||
|
"proxy-real-ip-cidr": "1.1.1.1/8,2.2.2.2/24",
|
||||||
}
|
}
|
||||||
def := config.NewDefault()
|
def := config.NewDefault()
|
||||||
def.CustomHTTPErrors = []int{300, 400}
|
def.CustomHTTPErrors = []int{300, 400}
|
||||||
|
|
@ -52,6 +53,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
|
||||||
def.EnableDynamicTLSRecords = false
|
def.EnableDynamicTLSRecords = false
|
||||||
def.UseProxyProtocol = true
|
def.UseProxyProtocol = true
|
||||||
def.GzipTypes = "text/html"
|
def.GzipTypes = "text/html"
|
||||||
|
def.ProxyRealIPCIDR = []string{"1.1.1.1/8", "2.2.2.2/24"}
|
||||||
|
|
||||||
to := ReadConfig(conf)
|
to := ReadConfig(conf)
|
||||||
if diff := pretty.Compare(to, def); diff != "" {
|
if diff := pretty.Compare(to, def); diff != "" {
|
||||||
|
|
|
||||||
|
|
@ -20,10 +20,14 @@ events {
|
||||||
http {
|
http {
|
||||||
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
|
{{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
|
||||||
{{ if $cfg.UseProxyProtocol }}
|
{{ if $cfg.UseProxyProtocol }}
|
||||||
set_real_ip_from {{ $cfg.ProxyRealIPCIDR }};
|
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
||||||
|
set_real_ip_from {{ $trusted_ip }};
|
||||||
|
{{ end }}
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
set_real_ip_from {{ $cfg.ProxyRealIPCIDR }};
|
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
|
||||||
|
set_real_ip_from {{ $trusted_ip }};
|
||||||
|
{{ end }}
|
||||||
real_ip_header X-Forwarded-For;
|
real_ip_header X-Forwarded-For;
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue