feat(proxy) X-Forwarded-* upstream headers #2236
Conversation
Partially fixes #2202
bungle
force-pushed
the
feat/hop-to-hop-headers
branch
7 times, most recently
from
aa9d19e to
475e653
Compare
bungle
force-pushed
the
feat/hop-to-hop-headers
branch
2 times, most recently
from
cf47c58 to
56c080c
Compare
* Introduce trusted_ips config property * Introduce real_ip_header * New lua-resty-mediador * Implement logic to validate client ips as trusted * Implement Lua logic for the X-Forwarded-For upstream header * Related tests (renamed real_ip test suite to upstream_headers) Fix #2202
bungle
force-pushed
the
feat/hop-to-hop-headers
branch
from
56c080c to
8e2fcb1
Compare
…at/hop-to-hop-headers # Conflicts: # kong/core/handler.lua # spec/02-integration/05-proxy/02-upstream_headers_spec.lua
CHANGELOG.md
Outdated
|
|
||
| - :fireworks: Configurable `X-Forwarded-*` and `X-Real-IP` upstream headers. | ||
| [#2236](https://github.com/Mashape/kong/pull/2236) | ||
| - :fireworks: Support for The PROXY protocol. |
There was a problem hiding this comment.
pedantic: lowercase 'the'
| read more about this change from our | ||
| [0.10.x Proxy Reference](https://getkong.org/docs/0.10.x/proxy/) | ||
| and | ||
| [0.10.x Configuration Reference](https://getkong.org/docs/0.10.x/configuration/) |
There was a problem hiding this comment.
note to self: slightly rephrase for merge
kong/templates/nginx_kong.lua
Outdated
| proxy_set_header Upgrade $upstream_upgrade; | ||
| proxy_set_header Connection $upstream_connection; | ||
| proxy_pass_header Server; | ||
| proxy_pass_header Date; |
There was a problem hiding this comment.
note: We should also mention this in the changelog and add it to the proxy guide list of forwarded headers from upstream
| } | ||
| end | ||
|
|
||
| if trust_all_ipv4 and trust_all_ipv6 then |
There was a problem hiding this comment.
note: we need to make sure to document that one needs both ipv4 and ipv6 forms specified to "trust all"
(but tbh, I feel like we should respect the --with-ipv6 option of Nginx, and ignore all IPv6 settings/values if support is not enabled in Nginx)
There was a problem hiding this comment.
Wasn't it so that --with-ipv6 was dropped already from Nginx mainline, or does OpenResty still continue having them somehow?
There was a problem hiding this comment.
Yeah sorry I wasn't very clear here. Yes, --with-ipv6 was dropped. What I meant is split in 2 parts:
- I think that users should be able to enable/disable ipv6 support through Kong
- Currently doable via the
--with-nginxoption check in the current OpenResty (I think1.11.2still has it? not sure?), but in the future, the need for disabling ipv6 will be even greater, because the OS might support ipv6, but not the network, and we cannot rely on the--with-ipv6option anymore to assume what the user wanted, hence, it simply increased the need for this behavior to be configurable.
There was a problem hiding this comment.
Do you think this is enough for now:
Kong/docs.konghq.com@2775f51#diff-9e30b1ff312829ea15c5647e63e8ba8aR468
kong/templates/nginx_kong.lua
Outdated
| map $http_x_forwarded_port $upstream_x_forwarded_port { | ||
| default $http_x_forwarded_port; | ||
| '' $server_port; | ||
| } |
There was a problem hiding this comment.
Any reason why we're not handling those in the Lua logic but need those maps again instead? I don't remember if there was a special case that they handle in lieu of an else in the Lua code?
There was a problem hiding this comment.
We just initialize the vars with defaults. We can do it in Lua land as well.
There was a problem hiding this comment.
That would avoid having pieces of the logic in two different places indeed
| end) | ||
| end) | ||
|
|
||
| describe("with the downstream host preserved (pending: because the test fails to connect to API when preserve_host = true)", function() |
There was a problem hiding this comment.
Maybe we can remove this "pending" comment now? Assuming this was related to one of the recent fixes on master
| var.upstream_x_forwarded_for = http_x_forwarded_for .. ", " .. realip_remote_addr | ||
|
|
||
| else | ||
| var.upstream_x_forwarded_for = var.remote_addr |
There was a problem hiding this comment.
I think some comments here would be very beneficial to avoid future confusion, regarding the usage of realip_remote_addr vs var.remove_addr, and why we need to build the X-Forwarded-For upstream header ourselves (due to the ngx_http_proxy_module limitation we discovered).
bungle
force-pushed
the
feat/hop-to-hop-headers
branch
from
75be12b to
79c2743
Compare
| -- is okay for us to use it in case no X-Forwarded-For header was present. | ||
| -- But in case it was given, we will append the $realip_remote_addr that | ||
| -- contains the IP that was originally in $remote_addr before realip module | ||
| -- overrode that (aka the client that connected us). |
There was a problem hiding this comment.
👍 great! This will give future contributors a good reason as to why things are done like this
kong/core/handler.lua
Outdated
| balancer_address.hostname..":"..balancer_address.port | ||
|
|
||
| -- Keep-Alive and WebSocket Protocol Upgrade Headers | ||
| if var.http_upgrade == "websocket" then |
There was a problem hiding this comment.
Sorry if you thought I implied that we should move those as well in the Lua-land. I only meant to apply changes to the PR that apply to this scope, and did not mean to add extra work to it! It would have been perfectly if this had stayed in the Nginx configuration. Maybe it still should be moved back there to avoid introducing breaking changes? As of this stands, we perform a case-sensitive check on the content of those headers, and that is a breaking change since Nginx's map is case-insensitive.
Sorry for the misunderstanding!
There was a problem hiding this comment.
While I was doing it, I thought, why not do them all similarly in Lua-land (they are somewhat related). But that case-insensitivity thing was something I didn't think about. Great catch! Basically two choices, case insensitive match on Lua or move them back to maps?
There was a problem hiding this comment.
@thibaultcha, I pushed a patch to make case-insensitive comparison on Lua-land. I can always move it back to map, but I like this because it keeps our user facing nginx.conf cleaner.
There was a problem hiding this comment.
I like this because it keeps our user facing nginx.conf cleaner.
Exactly, we should keep it on the Lua-land indeed.
|
(In the future, please don't merge next or master in your branch. Rebasing is fine though. Thanks!) |
kong/core/handler.lua
Outdated
| local http_x_forwarded_for = var.http_x_forwarded_for | ||
|
|
|
Merged to |
|
@thibaultcha can this be also merged into |
|
It doesn't look like this actually made it into 0.10.2 - any word on when it will be released? |
|
This is scheduled for 0.11 as it introduces some breaking changes. |
Summary
Implementation of #2202, taking care of all
X-Forwarded-*upstream headers and introducing configuration options for the ngx_http_realip_module.Full changelog
trusted_ipsconfig propertyreal_ip_headerconfig propertytrusted_ipsconfig valueX-Forwarded-Forupstream headerIssues resolved
Fix #2202, #2240