From 7408849b61d5bcba38afb24b8e590aceee2b6e63 Mon Sep 17 00:00:00 2001
From: Joe Corall <joe@libops.io>
Date: Fri, 31 May 2024 17:18:13 -0400
Subject: [PATCH 1/2] Add additional environment variables to better support
 ISLE deployments behind reverse proxies

---
 nginx/Dockerfile                                 | 3 +++
 nginx/README.md                                  | 3 +++
 nginx/rootfs/etc/confd/templates/nginx.conf.tmpl | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 3c24aff8..ee9015ae 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -71,8 +71,11 @@ ENV \
     NGINX_PROXY_READ_TIMEOUT=60s \
     NGINX_PROXY_SEND_TIMEOUT=60s \
     NGINX_REAL_IP_HEADER=X-Forwarded-For \
+    NGINX_REAL_IP_RECURSIVE=off \
     NGINX_SEND_TIMEOUT=60s \
     NGINX_SET_REAL_IP_FROM=172.0.0.0/8 \
+    NGINX_SET_REAL_IP_FROM2=172.0.0.0/8 \
+    NGINX_SET_REAL_IP_FROM3=172.0.0.0/8 \
     NGINX_WORKER_CONNECTIONS=1024 \
     NGINX_WORKER_PROCESSES=auto \
     PHP_DEFAULT_SOCKET_TIMEOUT=60 \
diff --git a/nginx/README.md b/nginx/README.md
index 84757abb..4899c39e 100644
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -36,8 +36,11 @@ Requires `islandora/base` docker image to build. Please refer to the
 | NGINX_PROXY_READ_TIMEOUT      | 60s             | Timeout for reading a response from the proxied server                                |
 | NGINX_PROXY_SEND_TIMEOUT      | 60s             | Timeout for transmitting a request to the proxied server                              |
 | NGINX_REAL_IP_HEADER          | X-Forwarded-For | Request header field whose value will be used to replace the client address.          |
+| NGINX_REAL_IP_RECURSIVE       | off             | See https://nginx.org/en/docs/http/ngx_http_realip_module.html         |
 | NGINX_SEND_TIMEOUT            | 60s             | Timeout for transmitting a response to the client                                     |
 | NGINX_SET_REAL_IP_FROM        | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
+| NGINX_SET_REAL_IP_FROM2        | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
+| NGINX_SET_REAL_IP_FROM3       | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
 | NGINX_WORKER_CONNECTIONS      | 1024            | The maximum number of simultaneous connections that can be opened by a worker process |
 | NGINX_WORKER_PROCESSES        | auto            | Set number of worker processes automatically based on number of CPU cores             |
 
diff --git a/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl b/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl
index 4d62c5a1..2f6e8e8f 100644
--- a/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl
+++ b/nginx/rootfs/etc/confd/templates/nginx.conf.tmpl
@@ -155,7 +155,10 @@ http {
 
         # Sets the client IP to print in logs
         real_ip_header {{ getenv "NGINX_REAL_IP_HEADER" }};
+        real_ip_recursive {{ getenv "NGINX_REAL_IP_RECURSIVE" }};
         set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM" }};
+        set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM2" }};
+        set_real_ip_from {{ getenv "NGINX_SET_REAL_IP_FROM3" }};
 
         # Includes virtual hosts configs.
         include /etc/nginx/http.d/*.conf;

From 58db2a4931924921a494b78c6c32b9f475fd9267 Mon Sep 17 00:00:00 2001
From: Joe Corall <jjc223@lehigh.edu>
Date: Fri, 31 May 2024 17:19:16 -0400
Subject: [PATCH 2/2] Update README.md

---
 nginx/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/README.md b/nginx/README.md
index 4899c39e..bc115dad 100644
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -39,7 +39,7 @@ Requires `islandora/base` docker image to build. Please refer to the
 | NGINX_REAL_IP_RECURSIVE       | off             | See https://nginx.org/en/docs/http/ngx_http_realip_module.html         |
 | NGINX_SEND_TIMEOUT            | 60s             | Timeout for transmitting a response to the client                                     |
 | NGINX_SET_REAL_IP_FROM        | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
-| NGINX_SET_REAL_IP_FROM2        | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
+| NGINX_SET_REAL_IP_FROM2       | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
 | NGINX_SET_REAL_IP_FROM3       | 172.0.0.0/8     | Trusted addresses that are known to send correct replacement addresses                |
 | NGINX_WORKER_CONNECTIONS      | 1024            | The maximum number of simultaneous connections that can be opened by a worker process |
 | NGINX_WORKER_PROCESSES        | auto            | Set number of worker processes automatically based on number of CPU cores             |