From 855be47ba819b51f0c653c2f8f7ae074b3c19b54 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Date: Tue, 22 Aug 2017 17:21:37 -0300
Subject: [PATCH 1/2] Improve NGINX template security

---
 .../nginx/rootfs/etc/nginx/template/nginx.tmpl  | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 9dca204fca..2d70004c5e 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -134,6 +134,7 @@ http {
         ''               close;
     }
 
+    {{ if $cfg.UseProxyProtocol }}
     # trust http_x_forwarded_proto headers correctly indicate ssl offloading
     map $http_x_forwarded_proto $pass_access_scheme {
         default          $http_x_forwarded_proto;
@@ -145,16 +146,24 @@ http {
        ''                $server_port;
     }
 
-    {{ if $cfg.UseProxyProtocol }}
     map $http_x_forwarded_for $the_real_ip {
         default          $http_x_forwarded_for;
         ''               $proxy_protocol_addr;
     }
     {{ else }}
+
+    map $http_x_forwarded_proto $pass_access_scheme {
+        default          $scheme;
+    }
+
+    map $http_x_forwarded_port $pass_server_port {
+       default           $server_port;
+    }
+
     map $http_x_forwarded_for $the_real_ip {
-        default          $http_x_forwarded_for;
-        ''               $realip_remote_addr;
+        default          $remote_addr;
     }
+
     {{ end }}
 
     {{ if $all.IsSSLPassthroughEnabled }}
@@ -259,7 +268,7 @@ http {
     {{ end }}
 
     upstream {{ $upstream.Name }} {
-        # Load balance algorithm; empty for round robin, which is the default
+        {{/* Load balance algorithm; empty for round robin, which is the default */}}
         {{ if ne $cfg.LoadBalanceAlgorithm "round_robin" }}
         {{ $cfg.LoadBalanceAlgorithm }};
         {{ end }}

From f49e756d47ae1629f0759f2e980cd3ef68321670 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Date: Tue, 22 Aug 2017 17:28:51 -0300
Subject: [PATCH 2/2] Improve NGINX template security

---
 controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 2d70004c5e..af076b2150 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -28,14 +28,12 @@ http {
     {{/* we use the value of the header X-Forwarded-For to be able to use the geo_ip module */}}
     {{ if $cfg.UseProxyProtocol }}
     real_ip_header      proxy_protocol;
-    {{ else }}
-    real_ip_header      X-Forwarded-For;
-    {{ end }}
 
     real_ip_recursive   on;
     {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
     set_real_ip_from    {{ $trusted_ip }};
     {{ end }}
+    {{ end }}
 
     {{/* databases used to determine the country depending on the client IP address */}}
     {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}}