feat(proxy) add real_ip configuration fields

* Add real_ip_recursive and set_real_ip_from Kong configuration fields to configure ngx_http_realip_module directives. * Move the real_ip directives to the Kong proxy location block. * Add configuration building unit tests for those 2 new directives. Fix #1661 Deprecates #1662
Kong · Mar 2, 2017 · be9489c · be9489c
1 parent 9cf38a8
commit be9489c
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 4 deletions.
diff --git a/kong.conf.default b/kong.conf.default
@@ -115,6 +115,20 @@
                                  # process. When this number is exceeded, the 
                                  # least recently used connections are closed.
 
+#real_ip_recursive = off         # Sets the ngx_http_realip_module directive of
+                                 # the same name.
+# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html for a
+# description of this directive.
+
+#set_real_ip_from = 0.0.0.0/0    # Defines trusted addresses that are known
+                                 # to send correct replacement addresses.
+                                 # If the special value unix: is specified,
+                                 # all UNIX-domain sockets will be trusted.
+                                 # This directive accepts a comma-separated
+                                 # list of values.
+# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html for a
+# list of accepted values.
+
 #------------------------------------------------------------------------------
 # DATASTORE
 #------------------------------------------------------------------------------

diff --git a/kong/conf_loader.lua b/kong/conf_loader.lua
@@ -61,6 +61,8 @@ local CONF_INFERENCES = {
   cluster_advertise = {typ = "string"},
   nginx_worker_processes = {typ = "string"},
   upstream_keepalive = {typ = "number"},
+  real_ip_recursive = {typ = "ngx_boolean"},
+  set_real_ip_from = {typ = "array"},
 
   database = {enum = {"postgres", "cassandra"}},
   pg_port = {typ = "number"},

diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua
@@ -19,6 +19,8 @@ admin_ssl = on
 admin_ssl_cert = NONE
 admin_ssl_cert_key = NONE
 upstream_keepalive = 60
+real_ip_recursive = off
+set_real_ip_from = NONE
 
 database = postgres
 pg_host = 127.0.0.1

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -23,10 +23,6 @@ client_max_body_size 0;
 proxy_ssl_server_name on;
 underscores_in_headers on;
 
-real_ip_header X-Forwarded-For;
-set_real_ip_from 0.0.0.0/0;
-real_ip_recursive on;
-
 lua_package_path '${{LUA_PACKAGE_PATH}};;';
 lua_package_cpath '${{LUA_PACKAGE_CPATH}};;';
 lua_code_cache ${{LUA_CODE_CACHE}};
@@ -100,6 +96,10 @@ server {
             kong.access()
         }
 
+        real_ip_recursive ${{REAL_IP_RECURSIVE}};
+> for i = 1, #set_real_ip_from do
+        set_real_ip_from $(set_real_ip_from[i]);
+> end
         proxy_http_version 1.1;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

diff --git a/spec/01-unit/03-prefix_handler_spec.lua b/spec/01-unit/03-prefix_handler_spec.lua
@@ -121,6 +121,33 @@ describe("NGINX conf compiler", function()
       local nginx_conf = prefix_handler.compile_kong_conf(conf)
       assert.matches("error_log syslog:server=.+:61828 error;", nginx_conf)
     end)
+
+    describe("ngx_http_realip_module settings", function()
+      it("defaults", function()
+        local conf = assert(conf_loader())
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("real_ip_recursive off;", nginx_conf, nil, true)
+        assert.not_matches("set_real_ip_from", nginx_conf, nil, true)
+      end)
+
+      it("real_ip_recursive", function()
+        local conf = assert(conf_loader(nil, {
+          real_ip_recursive = true,
+        }))
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("real_ip_recursive on;", nginx_conf, nil, true)
+      end)
+
+      it("set_real_ip_from", function()
+        local conf = assert(conf_loader(nil, {
+          set_real_ip_from = "192.168.1.0/24,192.168.2.1,2001:0db8::/32"
+        }))
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("set_real_ip_from 192.168.1.0/24", nginx_conf, nil, true)
+        assert.matches("set_real_ip_from 192.168.1.0", nginx_conf, nil, true)
+        assert.matches("set_real_ip_from 2001:0db8::/32", nginx_conf, nil, true)
+      end)
+    end)
   end)
 
   describe("compile_nginx_conf()", function()