-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor X-Forwarded-* headers #1381
Changes from 2 commits
f38f49e
669428e
df57b8b
d73edb8
6ee2b72
78e166f
3ed6019
db12b51
fe2386b
b1b75f9
f549e03
f253d24
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,6 +33,7 @@ import ( | |
|
||
"github.com/pborman/uuid" | ||
|
||
apiv1 "k8s.io/api/core/v1" | ||
extensions "k8s.io/api/extensions/v1beta1" | ||
"k8s.io/apimachinery/pkg/util/sets" | ||
"k8s.io/ingress/controllers/nginx/pkg/config" | ||
|
@@ -159,6 +160,8 @@ var ( | |
"buildAuthSignURL": buildAuthSignURL, | ||
"isValidClientBodyBufferSize": isValidClientBodyBufferSize, | ||
"buildForwardedFor": buildForwardedFor, | ||
"trustHTTPHeaders": trustHTTPHeaders, | ||
"trustProxyProtocol": trustProxyProtocol, | ||
} | ||
) | ||
|
||
|
@@ -658,3 +661,24 @@ func buildForwardedFor(input interface{}) string { | |
ffh = strings.ToLower(ffh) | ||
return fmt.Sprintf("$http_%v", ffh) | ||
} | ||
|
||
func trustHTTPHeaders(input interface{}) bool { | ||
conf, ok := input.(config.TemplateConfig) | ||
if !ok { | ||
return true | ||
} | ||
|
||
return conf.Cfg.RealClientFrom == "http-proxy" || | ||
(conf.Cfg.RealClientFrom == "auto" && !conf.Cfg.UseProxyProtocol && | ||
(conf.PublishService != nil && conf.PublishService.Spec.Type == apiv1.ServiceTypeLoadBalancer)) | ||
} | ||
|
||
func trustProxyProtocol(input interface{}) bool { | ||
conf, ok := input.(config.TemplateConfig) | ||
if !ok { | ||
return true | ||
} | ||
|
||
return conf.Cfg.RealClientFrom == "tcp-proxy" || | ||
(conf.Cfg.RealClientFrom == "auto" && !conf.Cfg.UseProxyProtocol) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I could be wrong, but shouldn't this be |
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -143,27 +143,59 @@ http { | |
'' close; | ||
} | ||
|
||
{{ if (trustHTTPHeaders $cfg) }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For some reason, trustHTTPHeaders is always returning true for me. This block here is always being created regardless of whether I set real-client-from: "http-proxy" or real-client-from: "tcp-proxy". I checked to make sure whether it's loading real-client-from properly by setting an invalid value, and it does seem to show up on the logs and sets to "auto" so I'm almost certain this value is being read up to trustHTTPHeaders. |
||
# Trust HTTP X-Forwarded-* Headers, but use direct values if they're missing. | ||
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip { | ||
# Get IP address from X-Forwarded-For HTTP header | ||
default {{ buildForwardedFor $cfg.ForwardedForHeader }}; | ||
'' $realip_remote_addr; | ||
} | ||
|
||
# trust http_x_forwarded_proto headers correctly indicate ssl offloading | ||
map $http_x_forwarded_proto $pass_access_scheme { | ||
default $http_x_forwarded_proto; | ||
'' $scheme; | ||
} | ||
|
||
map $http_x_forwarded_port $pass_server_port { | ||
default $http_x_forwarded_port; | ||
'' $server_port; | ||
default $http_x_forwarded_port; | ||
'' $server_port; | ||
} | ||
|
||
map $http_x_forwarded_host $best_http_host { | ||
default $http_x_forwarded_host; | ||
'' $this_host; | ||
} | ||
|
||
{{ else }} | ||
# Do not trust HTTP X-Forwarded-* Headers | ||
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip { | ||
default {{ buildForwardedFor $cfg.ForwardedForHeader }}; | ||
"~*(?<ip>[0-9\.]+).*" $ip; | ||
{{ if $cfg.UseProxyProtocol }} | ||
'' $proxy_protocol_addr; | ||
{{ if (trustProxyProtocol $cfg) }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this be $all instead of $cfg, as defined also in trustHTTPHeaders? I'm facing an issue here, that even when UseProxyProtocol is false, it's returning a 'true' value here, using $proxy_protocol_addr instead of $realip_remote_addr. Edit: After changing this to $all in my template, it works fine. I'm now going to test this with other options to see what's the behaviour. |
||
# Get IP address from Proxy Protocol | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This wasn't created for me after setting real-client-from: "tcp-proxy" |
||
{{ if (ne (len $cfg.ProxyRealIPCIDR) 0) }} | ||
# using trusted real IP CIDR | ||
default $realip_remote_addr; | ||
{{ else }} | ||
'' $realip_remote_addr; | ||
default $proxy_protocol_addr; | ||
{{ end }} | ||
{{ else }} | ||
# Get IP from direct remote address | ||
default $realip_remote_addr; | ||
{{ end }} | ||
} | ||
|
||
map $http_x_forwarded_host $best_http_host { | ||
default $this_host; | ||
} | ||
map $http_x_forwarded_proto $pass_access_scheme { | ||
default $scheme; | ||
} | ||
map $http_x_forwarded_port $pass_server_port { | ||
default $server_port; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Indentation could be used here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done |
||
} | ||
|
||
{{ end }} | ||
|
||
{{ if $all.IsSSLPassthroughEnabled }} | ||
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port | ||
map $pass_server_port $pass_port { | ||
|
@@ -198,11 +230,6 @@ http { | |
'' $host; | ||
} | ||
|
||
map $http_x_forwarded_host $best_http_host { | ||
default $http_x_forwarded_host; | ||
'' $this_host; | ||
} | ||
|
||
server_name_in_redirect off; | ||
port_in_redirect off; | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Continuing from my comment on nginx.tmpl:146)
Maybe !ok always evaluates to true here.
Could you check if input.(config.TemplateConfig) is returning conf correctly? Or maybe I'm missing something..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed