DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make X-Forwarded-For computation configurable

Browse source
This commit is contained in:
Max Laverse 2017-10-09 11:10:58 +02:00
parent a43833c621
commit bfe20306a0
3 changed files with 22 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docs/user-guide/configmap.md
View file

@ -72,7 +72,7 @@ _References:_
#### proxy-body-size #### proxy-body-size
Sets the maximum allowed size of the client request body. Sets the maximum allowed size of the client request body.
See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size). See NGINX [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size).
#### proxy-buffer-size #### proxy-buffer-size
@ -237,7 +237,7 @@ By default this is enabled.
#### map-hash-bucket-size #### map-hash-bucket-size
Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size). Sets the bucket size for the [map variables hash tables](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size).
The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html). The details of setting up hash tables are provided in a separate [document](http://nginx.org/en/docs/hash.html).
#### ssl-buffer-size #### ssl-buffer-size
@ -248,7 +248,7 @@ https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
#### ssl-ciphers #### ssl-ciphers
Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable.
The ciphers are specified in the format understood by the OpenSSL library. The ciphers are specified in the format understood by the OpenSSL library.
The default cipher list is: The default cipher list is:
@ -336,7 +336,7 @@ See [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_modul
#### worker-processes #### worker-processes
Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes). Sets the number of [worker processes](http://nginx.org/en/docs/ngx_core_module.html#worker_processes).
The default of "auto" means number of available CPU cores. The default of "auto" means number of available CPU cores.
#### worker-shutdown-timeout #### worker-shutdown-timeout
@ -376,6 +376,10 @@ Default: ""
Adds custom configuration to all the locations in the nginx configuration Adds custom configuration to all the locations in the nginx configuration
Default: "" Default: ""
#### compute-full-forwarded-for
Append the remote address to the X-Forwarded-For header instead of replacing it. When this option is enabled, the upstream application is responsible for extracting the client IP based on its own list of trusted proxies.
### Opentracing ### Opentracing
#### enable-opentracing #### enable-opentracing

5
pkg/nginx/config/config.go
View file

@ -386,6 +386,10 @@ type Configuration struct {
// Default is X-Forwarded-For // Default is X-Forwarded-For
ForwardedForHeader string `json:"forwarded-for-header,omitempty"` ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
// Append the remote address to the X-Forwarded-For header instead of replacing it
// Default: false
ComputeFullForwardedFor bool `json:"compute-full-forwarded-for,omitempty"`
// EnableOpentracing enables the nginx Opentracing extension // EnableOpentracing enables the nginx Opentracing extension
// https://github.com/rnburn/nginx-opentracing // https://github.com/rnburn/nginx-opentracing
// By default this is disabled // By default this is disabled
@ -428,6 +432,7 @@ func NewDefault() Configuration {
EnableUnderscoresInHeaders: false, EnableUnderscoresInHeaders: false,
ErrorLogLevel: errorLevel, ErrorLogLevel: errorLevel,
ForwardedForHeader: "X-Forwarded-For", ForwardedForHeader: "X-Forwarded-For",
ComputeFullForwardedFor: false,
HTTP2MaxFieldSize: "4k", HTTP2MaxFieldSize: "4k",
HTTP2MaxHeaderSize: "16k", HTTP2MaxHeaderSize: "16k",
HSTS: true, HSTS: true,

12
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -210,12 +210,14 @@ http {
'' $host; '' $host;
} }
{{ if $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module # We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr to soon # replaces the remote_addr too soon
map $http_x_forwarded_for $the_real_x_forwarded_for { map $http_x_forwarded_for $full_x_forwarded_for {
default "$http_x_forwarded_for, $realip_remote_addr"; default "$http_x_forwarded_for, $realip_remote_addr";
'' "$realip_remote_addr"; '' "$realip_remote_addr";
} }
{{ end }}
server_name_in_redirect off; server_name_in_redirect off;
port_in_redirect off; port_in_redirect off;
@ -749,7 +751,11 @@ stream {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Real-IP $the_real_ip;
proxy_set_header X-Forwarded-For $the_real_x_forwarded_for; {{ if $all.Cfg.ComputeFullForwardedFor }}
proxy_set_header X-Forwarded-For $full_x_forwarded_for;
{{ else }}
proxy_set_header X-Forwarded-For $the_real_ip;
{{ end }}
proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;