From 7408849b61d5bcba38afb24b8e590aceee2b6e63 Mon Sep 17 00:00:00 2001 From: Joe Corall <joe@libops.io> Date: Fri, 31 May 2024 17:18:13 -0400 Subject: [PATCH 1/2] Add additional environment variables to better support ISLE deployments behind reverse proxies --- nginx/Dockerfile | 3 +++ nginx/README.md | 3 +++ nginx/rootfs/etc/confd/templates/nginx.conf.tmpl | 3 +++ 3 files changed, 9 insertions(+) diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 3c24aff8..ee9015ae 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -71,8 +71,11 @@ ENV \ NGINX_PROXY_READ_TIMEOUT=60s \ NGINX_PROXY_SEND_TIMEOUT=60s \ NGINX_REAL_IP_HEADER=X-Forwarded-For \ + NGINX_REAL_IP_RECURSIVE=off \ NGINX_SEND_TIMEOUT=60s \ NGINX_SET_REAL_IP_FROM=172.0.0.0/8 \ + NGINX_SET_REAL_IP_FROM2=172.0.0.0/8 \ + NGINX_SET_REAL_IP_FROM3=172.0.0.0/8 \ NGINX_WORKER_CONNECTIONS=1024 \ NGINX_WORKER_PROCESSES=auto \ PHP_DEFAULT_SOCKET_TIMEOUT=60 \ diff --git a/nginx/README.md b/nginx/README.md index 84757abb..4899c39e 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -36,8 +36,11 @@ Requires `islandora/base` docker image to build. Please refer to the | NGINX_PROXY_READ_TIMEOUT | 60s | Timeout for reading a response from the proxied server | | NGINX_PROXY_SEND_TIMEOUT | 60s | Timeout for transmitting a request to the proxied server | | NGINX_REAL_IP_HEADER | X-Forwarded-For | Request header field whose value will be used to replace the client address. | +| NGINX_REAL_IP_RECURSIVE | off | See https://nginx.org/en/docs/http/ngx_http_realip_module.html | | NGINX_SEND_TIMEOUT | 60s | Timeout for transmitting a response to the client | | NGINX_SET_REAL_IP_FROM | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | +| NGINX_SET_REAL_IP_FROM2 | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | +| NGINX_SET_REAL_IP_FROM3 | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | | NGINX_WORKER_CONNECTIONS | 1024 | The maximum number of simultaneous connections that can be opened by a worker process | | NGINX_WORKER_PROCESSES | auto | Set number of worker processes automatically based on number of CPU cores | diff --git a/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl b/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl index 4d62c5a1..2f6e8e8f 100644 --- a/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl +++ b/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl @@ -155,7 +155,10 @@ http { # Sets the client IP to print in logs real_ip_header {{ getenv "NGINX_REAL_IP_HEADER" }}; + real_ip_recursive {{ getenv "NGINX_REAL_IP_RECURSIVE" }}; set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM" }}; + set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM2" }}; + set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM3" }}; # Includes virtual hosts configs. include /etc/nginx/http.d/*.conf; From 58db2a4931924921a494b78c6c32b9f475fd9267 Mon Sep 17 00:00:00 2001 From: Joe Corall <jjc223@lehigh.edu> Date: Fri, 31 May 2024 17:19:16 -0400 Subject: [PATCH 2/2] Update README.md --- nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/README.md b/nginx/README.md index 4899c39e..bc115dad 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -39,7 +39,7 @@ Requires `islandora/base` docker image to build. Please refer to the | NGINX_REAL_IP_RECURSIVE | off | See https://nginx.org/en/docs/http/ngx_http_realip_module.html | | NGINX_SEND_TIMEOUT | 60s | Timeout for transmitting a response to the client | | NGINX_SET_REAL_IP_FROM | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | -| NGINX_SET_REAL_IP_FROM2 | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | +| NGINX_SET_REAL_IP_FROM2 | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | | NGINX_SET_REAL_IP_FROM3 | 172.0.0.0/8 | Trusted addresses that are known to send correct replacement addresses | | NGINX_WORKER_CONNECTIONS | 1024 | The maximum number of simultaneous connections that can be opened by a worker process | | NGINX_WORKER_PROCESSES | auto | Set number of worker processes automatically based on number of CPU cores |