DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make X-Forwarded-For computation configurable

Browse source
This commit is contained in:
Max Laverse 2017-10-09 11:10:58 +02:00
parent a43833c621
commit bfe20306a0
3 changed files with 22 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/user-guide/configmap.md
View file

@ -376,6 +376,10 @@ Default: ""
Adds custom configuration to all the locations in the nginx configuration Adds custom configuration to all the locations in the nginx configuration
Default: "" Default: ""
#### compute-full-forwarded-for
Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
### Opentracing ### Opentracing
#### enable-opentracing #### enable-opentracing

5
pkg/nginx/config/config.go
View file

@ -386,6 +386,10 @@ type Configuration struct {
// Default is X-Forwarded-For // Default is X-Forwarded-For
ForwardedForHeader string `json:"forwarded-for-header,omitempty"` ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
// Append the remote address to the X-Forwarded-For header instead of replacing it
// Default: false
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
// EnableOpentracing enables the nginx Opentracing extension // EnableOpentracing enables the nginx Opentracing extension
// https://github.com/rnburn/nginx-opentracing // https://github.com/rnburn/nginx-opentracing
// By default this is disabled // By default this is disabled
@ -428,6 +432,7 @@ func NewDefault() Configuration {
EnableUnderscoresInHeaders: false, EnableUnderscoresInHeaders: false,
ErrorLogLevel: errorLevel, ErrorLogLevel: errorLevel,
ForwardedForHeader: "X-Forwarded-For", ForwardedForHeader: "X-Forwarded-For",
ComputeFullForwardedFor: false,
HTTP2MaxFieldSize: "4k", HTTP2MaxFieldSize: "4k",
HTTP2MaxHeaderSize: "16k", HTTP2MaxHeaderSize: "16k",
HSTS: true, HSTS: true,

12
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -210,12 +210,14 @@ http {
'' $host; '' $host;
} }
{{ if $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module # We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr to soon # replaces the remote_addr too soon
map $http_x_forwarded_for $the_real_x_forwarded_for { map $http_x_forwarded_for $full_x_forwarded_for {
default "$http_x_forwarded_for, $realip_remote_addr"; default "$http_x_forwarded_for, $realip_remote_addr";
'' "$realip_remote_addr"; '' "$realip_remote_addr";
} }
{{ end }}
server_name_in_redirect off; server_name_in_redirect off;
port_in_redirect off; port_in_redirect off;
@ -749,7 +751,11 @@ stream {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Real-IP $the_real_ip;
proxy_set_header X-Forwarded-For $the_real_x_forwarded_for; {{ if $all.Cfg.ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
{{ else }}
proxy_set_header X-Forwarded-For $the_real_ip;
{{ end }}
proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;