feat(conf) control the set_real_ip_from NGINX variable in kong.conf #1662
Conversation
…stent-pid hotfix(cli) prevent executing 'kill' on missing pids
|
CC: @thefosk |
|
LGTM |
|
@kylegato can you also send a PR against the |
| # correct replacement addresses. | ||
| # If the special value unix: is specified, | ||
| # all UNIX-domain sockets will be trusted. | ||
| # See: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from |
There was a problem hiding this comment.
Could you align those 4 to the same column as the comments of the other properties?
There was a problem hiding this comment.
Also, please include # See [link] on the next line, like so: https://github.com/Mashape/kong/blob/master/kong.conf.default#L34-L35
# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# for a list of accepted values.
There was a problem hiding this comment.
I think the trailing ; would throw an error when starting nginx?
There was a problem hiding this comment.
Finally: please move this property below the proxy_listen and proxy_listen_ssl properties. And it should probably be renamed to proxy_set_real_ip_from.
There was a problem hiding this comment.
Yes that's right, I missed the ;. This will certainly cause an error because when it's being added with set_real_ip_from ${{SET_REAL_IP_FROM}}; it basically appends a double semicolon.
| # all UNIX-domain sockets will be trusted. | ||
| # See: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from | ||
|
|
||
|
|
| # correct replacement addresses. | ||
| # If the special value unix: is specified, | ||
| # all UNIX-domain sockets will be trusted. | ||
| # See: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from |
There was a problem hiding this comment.
I think the trailing ; would throw an error when starting nginx?
subnetmarco
added
pr/ready (but hold merge)
| @@ -26,7 +26,7 @@ proxy_ssl_server_name on; | |||
| underscores_in_headers on; | |||
|
|
|||
| real_ip_header X-Forwarded-For; | |||
| set_real_ip_from 0.0.0.0/0; | |||
| set_real_ip_from ${{SET_REAL_IP_FROM}}; | |||
There was a problem hiding this comment.
See here, semicolon is already provided.
| # correct replacement addresses. | ||
| # If the special value unix: is specified, | ||
| # all UNIX-domain sockets will be trusted. | ||
| # See: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from |
There was a problem hiding this comment.
Finally: please move this property below the proxy_listen and proxy_listen_ssl properties. And it should probably be renamed to proxy_set_real_ip_from.
thibaultcha
added
pr/changes requested
|
Ultimately, I wonder if we shouldn't also implement an |
|
Also: there should probably be a test for this in |
… fixing some formatting
|
@thibaultcha I'm having trouble coming up with my own original idea for modifying 02-real_ip_spec.lua after reviewing it and what it's doing. Maybe we would have the test set the "set_real_ip_from" to something like 123.123.123.0/0 and then check that the sent header IP does not match? |
| @@ -59,6 +59,13 @@ | |||
| #proxy_listen_ssl = 0.0.0.0:8443 # Address and port on which Kong will accept | |||
| # HTTPS requests if `ssl` is enabled. | |||
|
|
|||
| #proxy_set_real_ip_from = 0.0.0.0/0 # Defines trusted addresses that are known to send | |||
There was a problem hiding this comment.
Please respect the 80 chars columns limit
There was a problem hiding this comment.
Also: the # should be 2 white spaces after the last /0
| #proxy_set_real_ip_from = 0.0.0.0/0 # Defines trusted addresses that are known to send | ||
| # correct replacement addresses. | ||
| # If the special value unix: is specified, | ||
| # all UNIX-domain sockets will be trusted. |
There was a problem hiding this comment.
Please align those comments with the hash from L62
There was a problem hiding this comment.
@thibaultcha Please review my latest config update, I believe i did.
I think that is reasonable enough, given another test exists which asserts the contrary when |
we go over the 80 chars limit for the link but that's ok for now.
style(conf) correct formatting
|
Latest update: this is just waiting on a test as discussed in this thread. @kylegato said he would write one in the next few days. |
|
@kylegato any updates? |
thibaultcha
changed the title
|
This would be a great addition to have in 0.9.4, alongside #1615. Would love to see some tests and docs updates, if not, we'll try to find time to do it ourselves. |
|
@kylegato would you be able to update this PR? |
|
It should be possible to provide a list of trusted addresses, as several occurrences of this directive can be applied. |
|
Moved to #2202. Closing this as the current implementation takes care of a few more things + has tests. Thanks! |
Summary
Adding the ability to control the set_real_ip_from NGINX variable in the kong.conf file.
Full changelog
Added set_real_ip_from config option - See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
Issues resolved
Fix #1661