From ac2000d6c668befde4f3c3895cb11e86eaaeb320 Mon Sep 17 00:00:00 2001
From: Thibault Charbonnier <thibaultcha@me.com>
Date: Wed, 1 Mar 2017 17:49:03 -0800
Subject: [PATCH] feat(proxy) add real_ip configuration fields

* Add real_ip_recursive and set_real_ip_from Kong configuration fields to
configure ngx_http_realip_module directives.
* Move the real_ip directives to the Kong proxy location block.
* Add configuration building unit tests for those 2 new directives.

Fix #1661
Deprecates #1662
---
 kong.conf.default                       | 14 +++++++++++++
 kong/conf_loader.lua                    |  2 ++
 kong/templates/kong_defaults.lua        |  2 ++
 kong/templates/nginx_kong.lua           |  8 ++++----
 spec/01-unit/03-prefix_handler_spec.lua | 27 +++++++++++++++++++++++++
 5 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/kong.conf.default b/kong.conf.default
index 5acc2d75bb2..d20eb458ace 100644
--- a/kong.conf.default
+++ b/kong.conf.default
@@ -115,6 +115,20 @@
                                  # process. When this number is exceeded, the
                                  # least recently used connections are closed.
 
+#real_ip_recursive = off         # Sets the ngx_http_realip_module directive of
+                                 # the same name.
+# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html for a
+# description of this directive.
+
+#set_real_ip_from = 0.0.0.0/0    # Defines trusted addresses that are known
+                                 # to send correct replacement addresses.
+                                 # If the special value unix: is specified,
+                                 # all UNIX-domain sockets will be trusted.
+                                 # This directive accepts a comma-separated
+                                 # list of values.
+# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html for a
+# list of accepted values.
+
 #------------------------------------------------------------------------------
 # DATASTORE
 #------------------------------------------------------------------------------
diff --git a/kong/conf_loader.lua b/kong/conf_loader.lua
index 831d386f224..25c5c50d162 100644
--- a/kong/conf_loader.lua
+++ b/kong/conf_loader.lua
@@ -61,6 +61,8 @@ local CONF_INFERENCES = {
   cluster_advertise = {typ = "string"},
   nginx_worker_processes = {typ = "string"},
   upstream_keepalive = {typ = "number"},
+  real_ip_recursive = {typ = "ngx_boolean"},
+  set_real_ip_from = {typ = "array"},
 
   database = {enum = {"postgres", "cassandra"}},
   pg_port = {typ = "number"},
diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua
index 6e3851c3d53..38aa18c0114 100644
--- a/kong/templates/kong_defaults.lua
+++ b/kong/templates/kong_defaults.lua
@@ -19,6 +19,8 @@ admin_ssl = on
 admin_ssl_cert = NONE
 admin_ssl_cert_key = NONE
 upstream_keepalive = 60
+real_ip_recursive = off
+set_real_ip_from = NONE
 
 database = postgres
 pg_host = 127.0.0.1
diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
index e689ce2369a..eb5c35c66d5 100644
--- a/kong/templates/nginx_kong.lua
+++ b/kong/templates/nginx_kong.lua
@@ -23,10 +23,6 @@ client_max_body_size 0;
 proxy_ssl_server_name on;
 underscores_in_headers on;
 
-real_ip_header X-Forwarded-For;
-set_real_ip_from 0.0.0.0/0;
-real_ip_recursive on;
-
 lua_package_path '${{LUA_PACKAGE_PATH}};;';
 lua_package_cpath '${{LUA_PACKAGE_CPATH}};;';
 lua_code_cache ${{LUA_CODE_CACHE}};
@@ -100,6 +96,10 @@ server {
             kong.access()
         }
 
+        real_ip_recursive ${{REAL_IP_RECURSIVE}};
+> for i = 1, #set_real_ip_from do
+        set_real_ip_from $(set_real_ip_from[i]);
+> end
         proxy_http_version 1.1;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/spec/01-unit/03-prefix_handler_spec.lua b/spec/01-unit/03-prefix_handler_spec.lua
index 993a96a347e..c271ebea4ae 100644
--- a/spec/01-unit/03-prefix_handler_spec.lua
+++ b/spec/01-unit/03-prefix_handler_spec.lua
@@ -121,6 +121,33 @@ describe("NGINX conf compiler", function()
       local nginx_conf = prefix_handler.compile_kong_conf(conf)
       assert.matches("error_log syslog:server=.+:61828 error;", nginx_conf)
     end)
+
+    describe("ngx_http_realip_module settings", function()
+      it("defaults", function()
+        local conf = assert(conf_loader())
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("real_ip_recursive off;", nginx_conf, nil, true)
+        assert.not_matches("set_real_ip_from", nginx_conf, nil, true)
+      end)
+
+      it("real_ip_recursive", function()
+        local conf = assert(conf_loader(nil, {
+          real_ip_recursive = true,
+        }))
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("real_ip_recursive on;", nginx_conf, nil, true)
+      end)
+
+      it("set_real_ip_from", function()
+        local conf = assert(conf_loader(nil, {
+          set_real_ip_from = "192.168.1.0/24,192.168.2.1,2001:0db8::/32"
+        }))
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("set_real_ip_from 192.168.1.0/24", nginx_conf, nil, true)
+        assert.matches("set_real_ip_from 192.168.1.0", nginx_conf, nil, true)
+        assert.matches("set_real_ip_from 2001:0db8::/32", nginx_conf, nil, true)
+      end)
+    end)
   end)
 
   describe("compile_nginx_conf()", function()