From c24e212aace129ec38c536763822c56b03317cdd Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 7 Sep 2017 18:11:23 -0300 Subject: [PATCH] Allow custom forwarded for header --- controllers/nginx/pkg/config/config.go | 5 +++++ controllers/nginx/pkg/template/template.go | 12 ++++++++++++ .../nginx/rootfs/etc/nginx/template/nginx.tmpl | 11 ++++------- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go index 4e1b5373a2..cace7b7bd0 100644 --- a/controllers/nginx/pkg/config/config.go +++ b/controllers/nginx/pkg/config/config.go @@ -352,6 +352,10 @@ type Configuration struct { // Sets the ipv6 addresses on which the server will accept requests. BindAddressIpv6 []string `json:"bind-address-ipv6,omitempty"` + + // Sets the header field for identifying the originating IP address of a client + // Default is X-Forwarded-For + ForwardedForHeader string `json:"forwarded-for-header,omitempty"` } // NewDefault returns the default nginx configuration @@ -370,6 +374,7 @@ func NewDefault() Configuration { EnableDynamicTLSRecords: true, EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, + ForwardedForHeader: "X-Forwarded-For", HTTP2MaxFieldSize: "4k", HTTP2MaxHeaderSize: "16k", HSTS: true, diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go index 25c487c61c..ab8e8c451c 100644 --- a/controllers/nginx/pkg/template/template.go +++ b/controllers/nginx/pkg/template/template.go @@ -157,6 +157,7 @@ var ( }, "buildAuthSignURL": buildAuthSignURL, "isValidClientBodyBufferSize": isValidClientBodyBufferSize, + "buildForwardedFor": buildForwardedFor, } ) @@ -640,3 +641,14 @@ func getIngressInformation(i, p interface{}) *ingressInformation { return info } + +func buildForwardedFor(input interface{}) string { + s, ok := input.(string) + if !ok { + glog.Errorf("expected an string type but %T was returned", input) + } + + ffh := strings.Replace(s, "-", "_", -1) + ffh = strings.ToLower(ffh) + return fmt.Sprintf("$http_%v", ffh) +} diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index f3b83e4add..fc1e98fb07 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -29,7 +29,7 @@ http { {{ if $cfg.UseProxyProtocol }} real_ip_header proxy_protocol; {{ else }} - real_ip_header X-Forwarded-For; + real_ip_header {{ $cfg.ForwardedForHeader }}; {{ end }} real_ip_recursive on; @@ -154,17 +154,14 @@ http { '' $server_port; } + map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip { + default {{ buildForwardedFor $cfg.ForwardedForHeader }}; {{ if $cfg.UseProxyProtocol }} - map $http_x_forwarded_for $the_real_ip { - default $http_x_forwarded_for; '' $proxy_protocol_addr; - } {{ else }} - map $http_x_forwarded_for $the_real_ip { - default $http_x_forwarded_for; '' $realip_remote_addr; - } {{ end }} + } {{ if $all.IsSSLPassthroughEnabled }} # map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port