Skip to content

Commit

Permalink
update stream servers config
Browse files Browse the repository at this point in the history
  • Loading branch information
@salonichf5
salonichf5 committed Aug 27, 2024
1 parent 209b920 commit 481b183
Show file tree
Hide file tree
Showing 6 changed files with 99 additions and 49 deletions.
10 changes: 1 addition & 9 deletions internal/mode/static/nginx/config/http/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ type ProxySSLVerify struct {
// ServerConfig holds configuration for an HTTP server and IP family to be used by NGINX.
type ServerConfig struct {
Servers []Server
RewriteClientIP RewriteClientIPSettings
RewriteClientIP shared.RewriteClientIPSettings
IPFamily shared.IPFamily
Plus bool
}
Expand All @@ -120,11 +120,3 @@ type Include struct {
Name string
Content []byte
}

// RewriteClientIP holds the configuration for the rewrite client IP settings.
type RewriteClientIPSettings struct {
RealIPHeader string
RealIPFrom []string
Recursive bool
ProxyProtocol bool
}
4 changes: 2 additions & 2 deletions internal/mode/static/nginx/config/servers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -909,8 +909,8 @@ func isNonSlashedPrefixPath(pathType dataplane.PathType, path string) bool {
}

// getRewriteClientIPSettings returns the configuration for the rewriting client IP settings.
func getRewriteClientIPSettings(rewriteIP dataplane.RewriteClientIPSettings) http.RewriteClientIPSettings {
return http.RewriteClientIPSettings{
func getRewriteClientIPSettings(rewriteIP dataplane.RewriteClientIPSettings) shared.RewriteClientIPSettings {
return shared.RewriteClientIPSettings{
Recursive: rewriteIP.IPRecursive,
ProxyProtocol: rewriteIP.Mode == dataplane.RewriteIPModeProxyProtocol,
RealIPFrom: rewriteIP.TrustedCIDRs,
Expand Down
34 changes: 23 additions & 11 deletions internal/mode/static/nginx/config/servers_template.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,17 @@ server {
listen [::]:{{ $s.Listen }} ssl default_server{{ $proxyProtocol }};
{{- end }}
ssl_reject_handshake on;
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
{{- if and ($.RewriteClientIP.ProxyProtocol) ($s.IsSocket)}}
set_real_ip_from unix:;
{{- else if (not $s.IsSocket)}}
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
set_real_ip_from {{ $cidr }};
{{- end}}
{{- if $.RewriteClientIP.RealIPHeader}}
{{- end}}
{{ end }}
{{- if and ($.RewriteClientIP.RealIPHeader) (not $s.IsSocket)}}
real_ip_header {{ $.RewriteClientIP.RealIPHeader }};
{{- end}}
{{- if $.RewriteClientIP.Recursive }}
{{- if and ($.RewriteClientIP.Recursive) (not $s.IsSocket)}}
real_ip_recursive on;
{{ end }}
}
Expand All @@ -33,13 +37,17 @@ server {
{{- if $.IPFamily.IPv6 }}
listen [::]:{{ $s.Listen }} default_server{{ $proxyProtocol }};
{{- end }}
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
{{- if and ($.RewriteClientIP.ProxyProtocol) ($s.IsSocket)}}
set_real_ip_from unix:;
{{- else if (not $s.IsSocket)}}
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
set_real_ip_from {{ $cidr }};
{{- end}}
{{- if $.RewriteClientIP.RealIPHeader}}
{{- end}}
{{ end }}
{{- if and ($.RewriteClientIP.RealIPHeader) (not $s.IsSocket)}}
real_ip_header {{ $.RewriteClientIP.RealIPHeader }};
{{- end}}
{{- if $.RewriteClientIP.Recursive }}
{{- if and ($.RewriteClientIP.Recursive) (not $s.IsSocket)}}
real_ip_recursive on;
{{ end }}
default_type text/html;
Expand Down Expand Up @@ -79,13 +87,17 @@ server {
include {{ $i.Name }};
{{- end }}
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
{{- if and ($.RewriteClientIP.ProxyProtocol) ($s.IsSocket)}}
set_real_ip_from unix:;
{{- else if (not $s.IsSocket)}}
{{- range $cidr := $.RewriteClientIP.RealIPFrom }}
set_real_ip_from {{ $cidr }};
{{- end}}
{{- if $.RewriteClientIP.RealIPHeader}}
{{ end }}
{{- if and ($.RewriteClientIP.RealIPHeader) (not $s.IsSocket)}}
real_ip_header {{ $.RewriteClientIP.RealIPHeader }};
{{- end}}
{{- if $.RewriteClientIP.Recursive }}
{{- if and ($.RewriteClientIP.Recursive) (not $s.IsSocket)}}
real_ip_recursive on;
{{ end }}
Expand Down
85 changes: 61 additions & 24 deletions internal/mode/static/nginx/config/servers_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,37 +284,40 @@ func TestExecuteServers_IPFamily(t *testing.T) {
}

func TestExecuteServers_RewriteClientIP(t *testing.T) {
httpServers := []dataplane.VirtualServer{
{
IsDefault: true,
Port: 8080,
},
{
Hostname: "example.com",
Port: 8080,
},
}

sslServers := []dataplane.VirtualServer{
{
IsDefault: true,
Port: 8443,
},
{
Hostname: "example.com",
SSL: &dataplane.SSL{
KeyPairID: "test-keypair",
},
Port: 8443,
},
}
tests := []struct {
msg string
expectedHTTPConfig map[string]int
config dataplane.Configuration
}{
{
msg: "http and ssl servers with rewrite client IP settings",
msg: "rewrite client IP settings configured with proxy protocol",
config: dataplane.Configuration{
HTTPServers: []dataplane.VirtualServer{
{
IsDefault: true,
Port: 8080,
},
{
Hostname: "example.com",
Port: 8080,
},
},
SSLServers: []dataplane.VirtualServer{
{
IsDefault: true,
Port: 8443,
},
{
Hostname: "example.com",
SSL: &dataplane.SSL{
KeyPairID: "test-keypair",
},
Port: 8443,
},
},
HTTPServers: httpServers,
SSLServers: sslServers,
BaseHTTPConfig: dataplane.BaseHTTPConfig{
IPFamily: dataplane.Dual,
RewriteClientIPSettings: dataplane.RewriteClientIPSettings{
Expand All @@ -328,6 +331,7 @@ func TestExecuteServers_RewriteClientIP(t *testing.T) {
"set_real_ip_from 0.0.0.0/0;": 4,
"real_ip_header proxy_protocol;": 4,
"real_ip_recursive on;": 4,
"proxy_protocol on;": 0,
"listen 8080 default_server proxy_protocol;": 1,
"listen 8080 proxy_protocol;": 1,
"listen 8443 ssl default_server proxy_protocol;": 1,
Expand All @@ -342,6 +346,39 @@ func TestExecuteServers_RewriteClientIP(t *testing.T) {
"listen [::]:8443 ssl proxy_protocol;": 1,
},
},
{
msg: "rewrite client IP settings configured with x-forwarded-for",
config: dataplane.Configuration{
HTTPServers: httpServers,
SSLServers: sslServers,
BaseHTTPConfig: dataplane.BaseHTTPConfig{
IPFamily: dataplane.Dual,
RewriteClientIPSettings: dataplane.RewriteClientIPSettings{
Mode: dataplane.RewriteIPModeXForwardedFor,
TrustedCIDRs: []string{"0.0.0.0/0"},
IPRecursive: true,
},
},
},
expectedHTTPConfig: map[string]int{
"set_real_ip_from 0.0.0.0/0;": 4,
"real_ip_header X-Forwarded-For;": 4,
"real_ip_recursive on;": 4,
"proxy_protocol on;": 0,
"listen 8080 default_server;": 1,
"listen 8080;": 1,
"listen 8443 ssl default_server;": 1,
"listen 8443 ssl;": 1,
"server_name example.com;": 2,
"ssl_certificate /etc/nginx/secrets/test-keypair.pem;": 1,
"ssl_certificate_key /etc/nginx/secrets/test-keypair.pem;": 1,
"ssl_reject_handshake on;": 1,
"listen [::]:8080 default_server;": 1,
"listen [::]:8080;": 1,
"listen [::]:8443 ssl default_server;": 1,
"listen [::]:8443 ssl;": 1,
},
},
}

for _, test := range tests {
Expand Down
8 changes: 8 additions & 0 deletions internal/mode/static/nginx/config/shared/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,11 @@ type IPFamily struct {
IPv4 bool
IPv6 bool
}

// RewriteClientIP holds the configuration for the rewrite client IP settings.
type RewriteClientIPSettings struct {
RealIPHeader string
RealIPFrom []string
Recursive bool
ProxyProtocol bool
}
7 changes: 4 additions & 3 deletions internal/mode/static/nginx/config/stream/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ type UpstreamServer struct {

// ServerConfig holds configuration for a stream server and IP family to be used by NGINX.
type ServerConfig struct {
Servers []Server
IPFamily shared.IPFamily
Plus bool
Servers []Server
RewriteClientIP shared.RewriteClientIPSettings
IPFamily shared.IPFamily
Plus bool
}

0 comments on commit 481b183

Please sign in to comment.