Kong · kylegato · Sep 16, 2016 · Sep 20, 2016 · Sep 22, 2016 · Sep 22, 2016
diff --git a/kong.conf.default b/kong.conf.default
@@ -59,6 +59,13 @@
 #proxy_listen_ssl = 0.0.0.0:8443 # Address and port on which Kong will accept
                                  # HTTPS requests if `ssl` is enabled.
 
+#proxy_set_real_ip_from = 0.0.0.0/0  # Defines trusted addresses that are known
+                                     # to send correct replacement addresses.
+                                     # If the special value unix: is specified,
+                                     # all UNIX-domain sockets will be trusted.
+# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
+# for a list of accepted values.
+
 #admin_listen = 0.0.0.0:8001     # Address and port on which Kong will expose
                                  # an entrypoint to the Admin API.
                                  # This API lets you configure and manage Kong,

diff --git a/kong/conf_loader.lua b/kong/conf_loader.lua
@@ -50,6 +50,7 @@ local CONF_INFERENCES = {
   -- forced string inferences (or else are retrieved as numbers)
   proxy_listen = {typ = "string"},
   proxy_listen_ssl = {typ = "string"},
+  proxy_set_real_ip_from = {typ = "string"},
   admin_listen = {typ = "string"},
   cluster_listen = {typ = "string"},
   cluster_listen_rpc = {typ = "string"},

diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua
@@ -6,6 +6,7 @@ anonymous_reports = on
 
 proxy_listen = 0.0.0.0:8000
 proxy_listen_ssl = 0.0.0.0:8443
+proxy_set_real_ip_from = 0.0.0.0/0
 admin_listen = 0.0.0.0:8001
 nginx_worker_processes = auto
 nginx_optimizations = on

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -26,7 +26,7 @@ proxy_ssl_server_name on;
 underscores_in_headers on;
 
 real_ip_header X-Forwarded-For;
-set_real_ip_from 0.0.0.0/0;
+set_real_ip_from ${{PROXY_SET_REAL_IP_FROM}};
 real_ip_recursive on;
 
 lua_package_path '${{LUA_PACKAGE_PATH}};;';
@@ -141,4 +141,4 @@ server {
         return 200 'User-agent: *\nDisallow: /';
     }
 }
-]]
+]]
diff --git a/spec/01-unit/02-conf_loader_spec.lua b/spec/01-unit/02-conf_loader_spec.lua
@@ -9,6 +9,7 @@ describe("Configuration loader", function()
     assert.equal("0.0.0.0:8001", conf.admin_listen)
     assert.equal("0.0.0.0:8000", conf.proxy_listen)
     assert.equal("0.0.0.0:8443", conf.proxy_listen_ssl)
+    assert.equal("0.0.0.0/0", conf.proxy_set_real_ip_from)
     assert.is_nil(conf.ssl_cert) -- check placeholder value
     assert.is_nil(conf.ssl_cert_key)
     assert.is_nil(getmetatable(conf))

diff --git a/spec/fixtures/custom_nginx.template b/spec/fixtures/custom_nginx.template
@@ -24,7 +24,7 @@ http {
     underscores_in_headers on;
 
     real_ip_header X-Forwarded-For;
-    set_real_ip_from 0.0.0.0/0;
+    set_real_ip_from ${{PROXY_SET_REAL_IP_FROM}};
     real_ip_recursive on;
 
     lua_package_path '${{LUA_PACKAGE_PATH}};;';