From bff25d04b0ac17ec2f96536a25440ec19aa3fed6 Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Sat, 19 Aug 2017 15:58:33 -0300
Subject: [PATCH] Merge

---
 controllers/nginx/pkg/template/template.go    | 16 +++++++--
 .../rootfs/etc/nginx/template/nginx.tmpl      | 33 +++++++++----------
 core/pkg/ingress/controller/annotations.go    | 12 +++++--
 3 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index 306fd2ecc..03844ee8e 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -312,13 +312,13 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
 	rewrite %s(.*) /$1 break;
 	rewrite %s / break;
 	proxy_pass %s://%s;
-	%v`, path, location.Path, proto, location.Backend, abu)
+	%v`, path, location.Path, proto, upstreamName, abu)
 		}
 
 		return fmt.Sprintf(`
 	rewrite %s(.*) %s/$1 break;
 	proxy_pass %s://%s;
-	%v`, path, location.Rewrite.Target, proto, location.Backend, abu)
+	%v`, path, location.Rewrite.Target, proto, upstreamName, abu)
 	}
 
 	// default proxy_pass
@@ -404,6 +404,18 @@ func buildRateLimit(input interface{}) []string {
 		limits = append(limits, limit)
 	}
 
+	if loc.RateLimit.LimitRateAfter > 0 {
+		limit := fmt.Sprintf("limit_rate_after %vk;",
+			loc.RateLimit.LimitRateAfter)
+		limits = append(limits, limit)
+	}
+
+	if loc.RateLimit.LimitRate > 0 {
+		limit := fmt.Sprintf("limit_rate %vk;",
+			loc.RateLimit.LimitRate)
+		limits = append(limits, limit)
+	}
+
 	return limits
 }
 
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 4ff9fa0d6..79bf477e9 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -26,18 +26,15 @@ events {
 http {
     {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
     {{ if $cfg.UseProxyProtocol }}
-    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
-    set_real_ip_from    {{ $trusted_ip }};
-    {{ end }}
     real_ip_header      proxy_protocol;
     {{ else }}
-    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
-    set_real_ip_from    {{ $trusted_ip }};
-    {{ end }}
     real_ip_header      X-Forwarded-For;
     {{ end }}
 
     real_ip_recursive   on;
+    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
+    set_real_ip_from    {{ $trusted_ip }};
+    {{ end }}
 
     {{/* databases used to determine the country depending on the client IP address */}}
     {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}
@@ -155,7 +152,7 @@ http {
     {{ else }}
     map $http_x_forwarded_for $the_real_ip {
         default          $http_x_forwarded_for;
-        ''               $remote_addr;
+        ''               $realip_remote_addr;
     }
     {{ end }}
 
@@ -327,15 +324,15 @@ http {
         ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }};
         {{ end }}
 
-        {{ if not (empty $location.Redirect.URL) }}
-        location {{ $path }} {
-            return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }};
-        }
-        {{ else }}
+        {{ if not (empty $location.Redirect.URL) }} 
+        location {{ $path }} { 
+            return {{ $location.Redirect.Code }} {{ $location.Redirect.URL }}; 
+        } 
+        {{ else }} 
 
-        {{ if not (empty $location.Rewrite.AppRoot) }}
+        {{ if not (empty $location.Redirect.AppRoot)}}
         if ($uri = /) {
-            return 302 {{ $location.Rewrite.AppRoot }};
+            return 302 {{ $location.Redirect.AppRoot }};
         }
         {{ end }}
 
@@ -359,7 +356,6 @@ http {
 
             client_max_body_size        "{{ $location.Proxy.BodySize }}";
 
-
             set $target {{ $location.ExternalAuth.URL }};
             proxy_pass $target;
         }
@@ -387,13 +383,15 @@ http {
             {{ if not (empty $authPath) }}
             # this location requires authentication
             auth_request {{ $authPath }};
+            auth_request_set $auth_cookie $upstream_http_set_cookie;
+            add_header Set-Cookie $auth_cookie;            
             {{- range $idx, $line := buildAuthResponseHeaders $location }}
             {{ $line }}
             {{- end }}
             {{ end }}
 
             {{ if not (empty $location.ExternalAuth.SigninURL) }}
-            error_page 401 = {{ $location.ExternalAuth.SigninURL }};
+            error_page 401 = {{ $location.ExternalAuth.SigninURL }}?rd=$request_uri;
             {{ end }}
 
 
@@ -465,7 +463,7 @@ http {
             proxy_next_upstream                     {{ buildNextUpstream $location.Proxy.NextUpstream }}{{ if $cfg.RetryNonIdempotent }} non_idempotent{{ end }};
 
             {{/* rewrite only works if the content is not compressed */}}
-            {{ if $location.Rewrite.AddBaseURL }}
+            {{ if $location.Redirect.AddBaseURL }}
             proxy_set_header                        Accept-Encoding     "";
             {{ end }}
 
@@ -479,7 +477,6 @@ http {
             {{ end }}
         }
         {{ end }}
-        {{ end }}
 
         {{ if eq $server.Hostname "_" }}
         # health checks in cloud providers require the use of port 80
diff --git a/core/pkg/ingress/controller/annotations.go b/core/pkg/ingress/controller/annotations.go
index a607ae81c..4c56df3f0 100644
--- a/core/pkg/ingress/controller/annotations.go
+++ b/core/pkg/ingress/controller/annotations.go
@@ -19,6 +19,7 @@ package controller
 import (
 	"github.com/golang/glog"
 	extensions "k8s.io/api/extensions/v1beta1"
+	"k8s.io/ingress/core/pkg/ingress/annotations/alias"
 	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
@@ -63,14 +64,15 @@ func newAnnotationExtractor(cfg extractorConfig) annotationExtractor {
 			"Whitelist":            ipwhitelist.NewParser(cfg),
 			"UsePortInRedirects":   portinredirect.NewParser(cfg),
 			"Proxy":                proxy.NewParser(cfg),
-			"RateLimit":            ratelimit.NewParser(),
-			"Redirect":             redirect.NewParser(),
+			"RateLimit":            ratelimit.NewParser(cfg),
+			"Redirect":             redirect.NewParser(cfg),
 			"Rewrite":              rewrite.NewParser(cfg),
 			"SecureUpstream":       secureupstream.NewParser(cfg),
 			"ServiceUpstream":      serviceupstream.NewParser(),
 			"SessionAffinity":      sessionaffinity.NewParser(),
 			"SSLPassthrough":       sslpassthrough.NewParser(),
 			"ConfigurationSnippet": snippet.NewParser(),
+			"Alias":                alias.NewParser(),
 		},
 	}
 }
@@ -109,6 +111,7 @@ const (
 	sslPassthrough  = "SSLPassthrough"
 	sessionAffinity = "SessionAffinity"
 	serviceUpstream = "ServiceUpstream"
+	serverAlias     = "Alias"
 )
 
 func (e *annotationExtractor) ServiceUpstream(ing *extensions.Ingress) bool {
@@ -135,6 +138,11 @@ func (e *annotationExtractor) SSLPassthrough(ing *extensions.Ingress) bool {
 	return val.(bool)
 }
 
+func (e *annotationExtractor) Alias(ing *extensions.Ingress) string {
+	val, _ := e.annotations[serverAlias].Parse(ing)
+	return val.(string)
+}
+
 func (e *annotationExtractor) SessionAffinity(ing *extensions.Ingress) *sessionaffinity.AffinityConfig {
 	val, _ := e.annotations[sessionAffinity].Parse(ing)
 	return val.(*sessionaffinity.AffinityConfig)