diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 00aa4e42a..c12a27b8a 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -195,6 +195,13 @@ http { '' $host; } + # We can't use $proxy_add_x_forwarded_for because the realip module + # replaces the remote_addr to soon + map $http_x_forwarded_for $the_real_x_forwarded_for { + default "$http_x_forwarded_for, $realip_remote_addr"; + '' "$realip_remote_addr"; + } + server_name_in_redirect off; port_in_redirect off; @@ -592,7 +599,7 @@ stream { ssl_certificate {{ $server.SSLCertificate }}; ssl_certificate_key {{ $server.SSLCertificate }}; {{ if not (empty $server.SSLFullChainCertificate)}} - ssl_trusted_certificate {{ $server.SSLFullChainCertificate }}; + ssl_trusted_certificate {{ $server.SSLFullChainCertificate }}; ssl_stapling on; ssl_stapling_verify on; {{ end }} @@ -616,7 +623,7 @@ stream { {{ if not (empty $server.ServerSnippet) }} {{ $server.ServerSnippet }} {{ end }} - + {{ range $location := $server.Locations }} {{ $path := buildLocation $location }} {{ $authPath := buildAuthLocation $location }} @@ -749,7 +756,7 @@ stream { proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $the_real_ip; - proxy_set_header X-Forwarded-For $the_real_ip; + proxy_set_header X-Forwarded-For $the_real_x_forwarded_for; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme;