Fix: #2236 (comment)

Kong · Apr 11, 2017 · 79c2743 · 79c2743
1 parent d966e41
commit 79c2743
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 70 deletions.
diff --git a/kong/core/handler.lua b/kong/core/handler.lua
@@ -124,22 +124,44 @@ return {
       var.upstream_host = host_header or
           balancer_address.hostname..":"..balancer_address.port
 
-      -- X-Forwarded Headers
-      local realip_remote_addr = var.realip_remote_addr
+      -- Keep-Alive and WebWocket Protocol Upgrade Headers
+      if var.http_upgrade == "websocket" then
+        var.upstream_connection = "upgrade"
+        var.upstream_upgrade    = "websocket"
 
-      if not singletons.ip.trusted(realip_remote_addr) then
-        var.upstream_x_forwarded_proto = var.scheme
-        var.upstream_x_forwarded_host  = var.host
-        var.upstream_x_forwarded_port  = var.server_port
+      else
+        var.upstream_connection = "keep-alive"
       end
 
+      -- X-Forwarded Headers
+      --
+      -- We could use $proxy_add_x_forwarded_for, but it does not work properly
+      -- with the realip module. The realip module overrides $remote_addr and it
+      -- is okay for us to use it in case no X-Forwarded-For header was present.
+      -- But in case it was given, we will append the $realip_remote_addr that
+      -- contains the IP that was originally in $remote_addr before realip module
+      -- overrode that (aka the client that connected us).
+
+      local realip_remote_addr   = var.realip_remote_addr
       local http_x_forwarded_for = var.http_x_forwarded_for
+
       if http_x_forwarded_for then
         var.upstream_x_forwarded_for = http_x_forwarded_for .. ", " .. realip_remote_addr
 
       else
         var.upstream_x_forwarded_for = var.remote_addr
       end
+
+      if singletons.ip.trusted(realip_remote_addr) then
+        var.upstream_x_forwarded_proto = var.http_x_forwarded_proto or var.scheme
+        var.upstream_x_forwarded_host  = var.http_x_forwarded_host  or var.host
+        var.upstream_x_forwarded_port  = var.http_x_forwarded_port  or var.server_port
+
+      else
+        var.upstream_x_forwarded_proto = var.scheme
+        var.upstream_x_forwarded_host  = var.host
+        var.upstream_x_forwarded_port  = var.server_port
+      end
     end,
     -- Only executed if the `router` module found an API and allows nginx to proxy it.
     after = function()

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -60,31 +60,6 @@ upstream kong_upstream {
     keepalive ${{UPSTREAM_KEEPALIVE}};
 }
 
-map $http_upgrade $upstream_connection {
-    default   keep-alive;
-    websocket upgrade;
-}
-
-map $http_upgrade $upstream_upgrade {
-    default   '';
-    websocket websocket;
-}
-
-map $http_x_forwarded_proto $upstream_x_forwarded_proto {
-    default $http_x_forwarded_proto;
-    ''      $scheme;
-}
-
-map $http_x_forwarded_host $upstream_x_forwarded_host {
-    default $http_x_forwarded_host;
-    ''      $host;
-}
-
-map $http_x_forwarded_port $upstream_x_forwarded_port {
-    default $http_x_forwarded_port;
-    ''      $server_port;
-}
-
 server {
     server_name kong;
 > if real_ip_header == "proxy_protocol" then
@@ -118,23 +93,28 @@ server {
 > end
 
     location / {
-        set $upstream_host              nil;
-        set $upstream_scheme            nil;
-        set $upstream_x_forwarded_for   nil;
+        set $upstream_host               '';
+        set $upstream_upgrade            '';
+        set $upstream_connection         '';
+        set $upstream_scheme             '';
+        set $upstream_x_forwarded_for    '';
+        set $upstream_x_forwarded_proto  '';
+        set $upstream_x_forwarded_host   '';
+        set $upstream_x_forwarded_port   '';
 
         access_by_lua_block {
             kong.access()
         }
 
         proxy_http_version 1.1;
-        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   Host              $upstream_host;
+        proxy_set_header   Upgrade           $upstream_upgrade;
+        proxy_set_header   Connection        $upstream_connection;
         proxy_set_header   X-Forwarded-For   $upstream_x_forwarded_for;
         proxy_set_header   X-Forwarded-Proto $upstream_x_forwarded_proto;
         proxy_set_header   X-Forwarded-Host  $upstream_x_forwarded_host;
         proxy_set_header   X-Forwarded-Port  $upstream_x_forwarded_port;
-        proxy_set_header   Host              $upstream_host;
-        proxy_set_header   Upgrade           $upstream_upgrade;
-        proxy_set_header   Connection        $upstream_connection;
+        proxy_set_header   X-Real-IP         $remote_addr;
         proxy_pass_header  Server;
         proxy_pass_header  Date;
         proxy_pass         $upstream_scheme://kong_upstream;

diff --git a/spec/fixtures/custom_nginx.template b/spec/fixtures/custom_nginx.template
@@ -71,31 +71,6 @@ http {
         keepalive ${{UPSTREAM_KEEPALIVE}};
     }
 
-    map $http_upgrade $upstream_connection {
-        default   keep-alive;
-        websocket upgrade;
-    }
-
-    map $http_upgrade $upstream_upgrade {
-        default   '';
-        websocket websocket;
-    }
-
-    map $http_x_forwarded_proto $upstream_x_forwarded_proto {
-        default $http_x_forwarded_proto;
-        ''      $scheme;
-    }
-
-    map $http_x_forwarded_host $upstream_x_forwarded_host {
-        default $http_x_forwarded_host;
-        ''      $host;
-    }
-
-    map $http_x_forwarded_port $upstream_x_forwarded_port {
-        default $http_x_forwarded_port;
-        ''      $server_port;
-    }
-
     server {
         server_name kong;
 > if real_ip_header == "proxy_protocol" then
@@ -129,23 +104,28 @@ http {
 > end
 
         location / {
-            set $upstream_host              nil;
-            set $upstream_scheme            nil;
-            set $upstream_x_forwarded_for   nil;
+            set $upstream_host               '';
+            set $upstream_upgrade            '';
+            set $upstream_connection         '';
+            set $upstream_scheme             '';
+            set $upstream_x_forwarded_for    '';
+            set $upstream_x_forwarded_proto  '';
+            set $upstream_x_forwarded_host   '';
+            set $upstream_x_forwarded_port   '';
 
             access_by_lua_block {
                 kong.access()
             }
 
             proxy_http_version 1.1;
-            proxy_set_header   X-Real-IP         $remote_addr;
+            proxy_set_header   Host              $upstream_host;
+            proxy_set_header   Upgrade           $upstream_upgrade;
+            proxy_set_header   Connection        $upstream_connection;
             proxy_set_header   X-Forwarded-For   $upstream_x_forwarded_for;
             proxy_set_header   X-Forwarded-Proto $upstream_x_forwarded_proto;
             proxy_set_header   X-Forwarded-Host  $upstream_x_forwarded_host;
             proxy_set_header   X-Forwarded-Port  $upstream_x_forwarded_port;
-            proxy_set_header   Host              $upstream_host;
-            proxy_set_header   Upgrade           $upstream_upgrade;
-            proxy_set_header   Connection        $upstream_connection;
+            proxy_set_header   X-Real-IP         $remote_addr;
             proxy_pass_header  Server;
             proxy_pass_header  Date;
             proxy_pass         $upstream_scheme://kong_upstream;