From d59705e1896f7f8d44adeffb59469a5e02e34653 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= <mail@jkroepke.de>
Date: Thu, 6 Jul 2023 08:00:29 +0200
Subject: [PATCH] nginx.ingress.kubernetes.io/auth-url: Allow 127.0.0.1 to
 avoid external hops
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
---
 rootfs/etc/nginx/template/nginx.tmpl | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 6ace87448..7ba23efed 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -764,7 +764,7 @@ stream {
     lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
 
     lua_shared_dict tcp_udp_configuration_data 5M;
-    
+
     {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
 
     init_by_lua_block {
@@ -1133,7 +1133,12 @@ stream {
             proxy_set_header            X-Scheme                $pass_access_scheme;
             {{ end }}
 
+            {{ if eq $externalAuth.Host "127.0.0.1" }}
+            proxy_set_header            Host                    $http_host;
+            proxy_ssl_name              $http_host;
+            {{ else }}
             proxy_set_header            Host                    {{ $externalAuth.Host }};
+            {{ end }}
             proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
             proxy_set_header            X-Original-Method       $request_method;
             proxy_set_header            X-Sent-From             "nginx-ingress-controller";