Merge pull request #1312 from aledbf/custom-header

Allow custom forwarded for header
kubernetes · Sep 7, 2017 · d8c7166 · d8c7166
2 parents e05ac9b + c24e212
commit d8c7166
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
@@ -352,6 +352,10 @@ type Configuration struct {
 
 	// Sets the ipv6 addresses on which the server will accept requests.
 	BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"`
+
+	// Sets the header field for identifying the originating IP address of a client
+	// Default is X-Forwarded-For
+	ForwardedForHeader string `json:"forwarded-for-header,omitempty"`
 }
 
 // NewDefault returns the default nginx configuration
@@ -370,6 +374,7 @@ func NewDefault() Configuration {
 		EnableDynamicTLSRecords:    true,
 		EnableUnderscoresInHeaders: false,
 		ErrorLogLevel:              errorLevel,
+		ForwardedForHeader:         "X-Forwarded-For",
 		HTTP2MaxFieldSize:          "4k",
 		HTTP2MaxHeaderSize:         "16k",
 		HSTS:                       true,

diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
@@ -157,6 +157,7 @@ var (
 		},
 		"buildAuthSignURL":            buildAuthSignURL,
 		"isValidClientBodyBufferSize": isValidClientBodyBufferSize,
+		"buildForwardedFor":           buildForwardedFor,
 	}
 )
 
@@ -640,3 +641,14 @@ func getIngressInformation(i, p interface{}) *ingressInformation {
 
 	return info
 }
+
+func buildForwardedFor(input interface{}) string {
+	s, ok := input.(string)
+	if !ok {
+		glog.Errorf("expected an string type but %T was returned", input)
+	}
+
+	ffh := strings.Replace(s, "-", "_", -1)
+	ffh = strings.ToLower(ffh)
+	return fmt.Sprintf("$http_%v", ffh)
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -29,7 +29,7 @@ http {
     {{ if $cfg.UseProxyProtocol }}
     real_ip_header      proxy_protocol;
     {{ else }}
-    real_ip_header      X-Forwarded-For;
+    real_ip_header      {{ $cfg.ForwardedForHeader }};
     {{ end }}
 
     real_ip_recursive   on;
@@ -154,17 +154,14 @@ http {
        ''                $server_port;
     }
 
+    map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
+        default          {{ buildForwardedFor $cfg.ForwardedForHeader }};
     {{ if $cfg.UseProxyProtocol }}
-    map $http_x_forwarded_for $the_real_ip {
-        default          $http_x_forwarded_for;
         ''               $proxy_protocol_addr;
-    }
     {{ else }}
-    map $http_x_forwarded_for $the_real_ip {
-        default          $http_x_forwarded_for;
         ''               $realip_remote_addr;
-    }
     {{ end }}
+    }
 
     {{ if $all.IsSSLPassthroughEnabled }}
     # map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port