Refactor X-Forwarded-* headers

This commit is contained in:
Manuel de Brito Fontes 2017-09-17 15:03:05 -03:00
parent f478084cd8
commit f38f49e770
5 changed files with 85 additions and 15 deletions

View file

@ -143,6 +143,14 @@ http {
'' close;
}
{{ if (trustHTTPHeaders $cfg) }}
# Trust HTTP X-Forwarded-* Headers, but use direct values if they're missing.
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
# Get IP address from X-Forwarded-For HTTP header
default {{ buildForwardedFor $cfg.ForwardedForHeader }};
'' $realip_remote_addr;
}
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
@ -150,20 +158,44 @@ http {
}
map $http_x_forwarded_port $pass_server_port {
default $http_x_forwarded_port;
'' $server_port;
default $http_x_forwarded_port;
'' $server_port;
}
map $http_x_forwarded_host $best_http_host {
default $http_x_forwarded_host;
'' $this_host;
}
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
default {{ buildForwardedFor $cfg.ForwardedForHeader }};
"~*(?<ip>[0-9\.]+).*" $ip;
{{ if $cfg.UseProxyProtocol }}
'' $proxy_protocol_addr;
{{ else }}
'' $realip_remote_addr;
# Do not trust HTTP X-Forwarded-* Headers
map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
{{ if (trustProxyProtocol $cfg) }}
# Get IP address from Proxy Protocol
{{ if (ne (len $cfg.ProxyRealIPCIDR) 0) }}
# using trusted real IP CIDR
default $realip_remote_addr;
{{ else }}
default $proxy_protocol_addr;
{{ end }}
{{ else }}
# Get IP from direct remote address
default $realip_remote_addr;
{{ end }}
}
map $http_x_forwarded_host $best_http_host {
default $this_host;
}
map $http_x_forwarded_proto $pass_access_scheme {
default $scheme;
}
map $http_x_forwarded_port $pass_server_port {
default $server_port;
}
{{ end }}
{{ if $all.IsSSLPassthroughEnabled }}
# map port {{ $all.ListenPorts.SSLProxy }} to 443 for header X-Forwarded-Port
map $pass_server_port $pass_port {
@ -198,11 +230,6 @@ http {
'' $host;
}
map $http_x_forwarded_host $best_http_host {
default $http_x_forwarded_host;
'' $this_host;
}
server_name_in_redirect off;
port_in_redirect off;