Refactor X-Forwarded-* headers

2017-09-17 15:03:05 -03:00 · 2017-09-17 15:03:05 -03:00 · f38f49e770
commit f38f49e770
parent f478084cd8
5 changed files with 85 additions and 15 deletions
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -143,6 +143,14 @@ http {
        ''               close;
    }

+    {{ if (trustHTTPHeaders $cfg) }}
+    # Trust HTTP X-Forwarded-* Headers, but use direct values if they're missing.
+    map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
+        # Get IP address from X-Forwarded-For HTTP header
+        default          {{ buildForwardedFor $cfg.ForwardedForHeader }};
+        ''               $realip_remote_addr;
+    }
+
    # trust http_x_forwarded_proto headers correctly indicate ssl offloading
    map $http_x_forwarded_proto $pass_access_scheme {
        default          $http_x_forwarded_proto;
@ -150,20 +158,44 @@ http {
    }

    map $http_x_forwarded_port $pass_server_port {
-       default           $http_x_forwarded_port;
-       ''                $server_port;
+        default           $http_x_forwarded_port;
+        ''                $server_port;
+    }
+
+    map $http_x_forwarded_host $best_http_host {
+        default          $http_x_forwarded_host;
+        ''               $this_host;
    }

-    map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
-        default          {{ buildForwardedFor $cfg.ForwardedForHeader }};
-        "~*(?<ip>[0-9\.]+).*"     $ip;
-    {{ if $cfg.UseProxyProtocol }}
-        ''               $proxy_protocol_addr;
    {{ else }}
-        ''               $realip_remote_addr;
+    # Do not trust HTTP X-Forwarded-* Headers
+    map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
+    {{ if (trustProxyProtocol $cfg) }}
+        # Get IP address from Proxy Protocol
+    {{ if (ne (len $cfg.ProxyRealIPCIDR) 0) }}
+        # using trusted real IP CIDR
+        default          $realip_remote_addr;
+    {{ else }}
+        default          $proxy_protocol_addr;
+    {{ end }}
+    {{ else }}
+        # Get IP from direct remote address
+        default          $realip_remote_addr;
    {{ end }}
    }

+    map $http_x_forwarded_host $best_http_host {
+        default          $this_host;
+    }
+    map $http_x_forwarded_proto $pass_access_scheme {
+        default          $scheme;
+    }
+    map $http_x_forwarded_port $pass_server_port {
+    default           $server_port;
+    }
+
+    {{ end }}
+
    {{ if $all.IsSSLPassthroughEnabled }}
    # map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
    map $pass_server_port $pass_port {
@ -198,11 +230,6 @@ http {
        ''               $host;
    }

-    map $http_x_forwarded_host $best_http_host {
-        default          $http_x_forwarded_host;
-        ''               $this_host;
-    }
-
    server_name_in_redirect off;
    port_in_redirect        off;