fix incorrect real ip for ssl-passthrough

1. this implemention can work together with 'use-forwarded-for: "true"' and 'compute-full-forwarded-for: "true"'. 2. this fix breaks function of 'use-proxy-protocol: "true"' 3. this fix can not be cherrypicked to latest ingress-nginx, because 9af574a (>=0.26.0) refactor the real ip code in nginx.tmpl Signed-off-by: Huanle Han <hanhuanle@caicloud.io>
caicloud · Feb 9, 2021 · 1170ec4 · 1170ec4
1 parent 95466a3
commit 1170ec4
Showing 1 changed file with 19 additions and 6 deletions.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -284,7 +284,12 @@ http {
 
     # The following is a sneaky way to do "set $the_real_ip $remote_addr"
     # Needed because using set is not allowed outside server blocks.
-    map '' $the_real_ip {
+    map "$remote_addr:$server_port" $the_real_ip {
+    # set $the_real_ip $proxy_protocol_addr for sslProxy connection (from 127.0.0.1:* to 127.0.0.1:442 )
+    {{ if $all.IsSSLPassthroughEnabled }}
+        "127.0.0.1:{{ $all.ListenPorts.SSLProxy }}"   $proxy_protocol_addr;
+    {{ end }}
+
     {{ if $cfg.UseProxyProtocol }}
         # Get IP address from Proxy Protocol
         default          $proxy_protocol_addr;
@@ -363,15 +368,23 @@ http {
     {{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
     # We can't use $proxy_add_x_forwarded_for because the realip module
     # replaces the remote_addr too soon
-    map $http_x_forwarded_for $full_x_forwarded_for {
+
+    map "$realip_remote_addr:$server_port" $previous_ip {
+        {{ if $all.IsSSLPassthroughEnabled }}
+            "127.0.0.1:{{ $all.ListenPorts.SSLProxy }}"   $proxy_protocol_addr;
+        {{ end }}
+
         {{ if $all.Cfg.UseProxyProtocol }}
-        default          "$http_x_forwarded_for, $proxy_protocol_addr";
-        ''               "$proxy_protocol_addr";
+        default          "$proxy_protocol_addr";
         {{ else }}
-        default          "$http_x_forwarded_for, $realip_remote_addr";
-        ''               "$realip_remote_addr";
+        default          "$realip_remote_addr";
         {{ end}}
     }
+
+    map $http_x_forwarded_for $full_x_forwarded_for {
+        default          "$http_x_forwarded_for, $previous_ip";
+        ''               "$previous_ip";
+    }
     {{ end }}
 
     # Create a variable that contains the literal $ character.