From 1b3f0acde1572e6f83c53fef620884856a7dffa4 Mon Sep 17 00:00:00 2001
From: Remington Reackhof <rreackhof@rmn.com>
Date: Wed, 28 Jun 2017 09:53:08 -0500
Subject: [PATCH] add configmap and template changes for comma separated
 proxy-real-ip-cidr list

---
 controllers/nginx/pkg/config/config.go                 | 7 +++----
 controllers/nginx/pkg/template/configmap.go            | 9 +++++++++
 controllers/nginx/pkg/template/configmap_test.go       | 2 ++
 controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl | 8 ++++++--
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
index 27fab96d36..799c37b3d5 100644
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@@ -43,9 +43,6 @@ const (
 	// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
 	hstsMaxAge = "15724800"
 
-	// If UseProxyProtocol is enabled defIPCIDR defines the default the IP/network address of your external load balancer
-	defIPCIDR = "0.0.0.0/0"
-
 	gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
 
 	logFormatUpstream = `%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
@@ -198,7 +195,7 @@ type Configuration struct {
 
 	// If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address
 	// of your external load balancer
-	ProxyRealIPCIDR string `json:"proxy-real-ip-cidr,omitempty"`
+	ProxyRealIPCIDR []string `json:"proxy-real-ip-cidr,omitempty"`
 
 	// Sets the name of the configmap that contains the headers to pass to the backend
 	ProxySetHeaders string `json:"proxy-set-headers,omitempty"`
@@ -305,6 +302,8 @@ type Configuration struct {
 
 // NewDefault returns the default nginx configuration
 func NewDefault() Configuration {
+    defIPCIDR := make([]string, 0)
+    defIPCIDR = append(defIPCIDR, "0.0.0.0/0")
 	cfg := Configuration{
 		AllowBackendServerHeader:   false,
 		ClientHeaderBufferSize:     "1k",
diff --git a/controllers/nginx/pkg/template/configmap.go b/controllers/nginx/pkg/template/configmap.go
index 0597faa7eb..577a816e56 100644
--- a/controllers/nginx/pkg/template/configmap.go
+++ b/controllers/nginx/pkg/template/configmap.go
@@ -30,6 +30,7 @@ const (
 	customHTTPErrors     = "custom-http-errors"
 	skipAccessLogUrls    = "skip-access-log-urls"
 	whitelistSourceRange = "whitelist-source-range"
+    proxyRealIPCIDR      = "proxy-real-ip-cidr"
 )
 
 // ReadConfig obtains the configuration defined by the user merged with the defaults.
@@ -45,6 +46,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	errors := make([]int, 0)
 	skipUrls := make([]string, 0)
 	whitelist := make([]string, 0)
+    proxylist := make([]string, 0)
 
 	if val, ok := conf[customHTTPErrors]; ok {
 		delete(conf, customHTTPErrors)
@@ -65,11 +67,18 @@ func ReadConfig(src map[string]string) config.Configuration {
 		delete(conf, whitelistSourceRange)
 		whitelist = append(whitelist, strings.Split(val, ",")...)
 	}
+	if val, ok := conf[proxyRealIPCIDR]; ok {
+		delete(conf, proxyRealIPCIDR)
+		proxylist = append(proxylist, strings.Split(val, ",")...)
+	} else {
+        proxylist = append(proxylist, "0.0.0.0/0")
+    }
 
 	to := config.NewDefault()
 	to.CustomHTTPErrors = filterErrors(errors)
 	to.SkipAccessLogURLs = skipUrls
 	to.WhitelistSourceRange = whitelist
+    to.ProxyRealIPCIDR = proxylist
 
 	config := &mapstructure.DecoderConfig{
 		Metadata:         nil,
diff --git a/controllers/nginx/pkg/template/configmap_test.go b/controllers/nginx/pkg/template/configmap_test.go
index 130a452a60..aadfb83c78 100644
--- a/controllers/nginx/pkg/template/configmap_test.go
+++ b/controllers/nginx/pkg/template/configmap_test.go
@@ -42,6 +42,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 		"use-gzip":                   "true",
 		"enable-dynamic-tls-records": "false",
 		"gzip-types":                 "text/html",
+        "proxy-real-ip-cidr":         "1.1.1.1/8,2.2.2.2/24",
 	}
 	def := config.NewDefault()
 	def.CustomHTTPErrors = []int{300, 400}
@@ -52,6 +53,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 	def.EnableDynamicTLSRecords = false
 	def.UseProxyProtocol = true
 	def.GzipTypes = "text/html"
+    def.ProxyRealIPCIDR = []string{"1.1.1.1/8", "2.2.2.2/24"}
 
 	to := ReadConfig(conf)
 	if diff := pretty.Compare(to, def); diff != "" {
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index e95f2d53c3..bb289fc591 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -20,10 +20,14 @@ events {
 http {
     {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
     {{ if $cfg.UseProxyProtocol }}
-    set_real_ip_from    {{ $cfg.ProxyRealIPCIDR }};
+    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
+    set_real_ip_from    {{ $trusted_ip }};
+    {{ end }}
     real_ip_header      proxy_protocol;
     {{ else }}
-    set_real_ip_from    {{ $cfg.ProxyRealIPCIDR }};
+    {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
+    set_real_ip_from    {{ $trusted_ip }};
+    {{ end }}
     real_ip_header      X-Forwarded-For;
     {{ end }}