Merge pull request #1137 from 3kami3/real_ip

Add $NGINX_REAL_IP_RECURSIVE and $NGINX_REAL_IP_TRUSTED_ADDRESSES

README.md

@@ -896,6 +896,8 @@ Below is the complete list of available options that can be used to customize yo
 | `NGINX_PROXY_BUFFERING` | Enable `proxy_buffering`. Defaults to `off`. |
 | `NGINX_ACCEL_BUFFERING` | Enable `X-Accel-Buffering` header. Default to `no` |
 | `NGINX_X_FORWARDED_PROTO` | Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. |
+| `NGINX_REAL_IP_RECURSIVE` | set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. |
+| `NGINX_REAL_IP_TRUSTED_ADDRESSES` | You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. |
 | `REDIS_HOST` | The hostname of the redis server. Defaults to `localhost` |
 | `REDIS_PORT` | The connection port of the redis server. Defaults to `6379`. |
 | `REDIS_DB_NUMBER` | The redis database number. Defaults to '0'. |

assets/runtime/config/nginx/gitlab

@@ -37,6 +37,14 @@ server {
   server_tokens off; ## Don't show the nginx version number, a security best practice
 
   ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
   add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
   add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
 

assets/runtime/config/nginx/gitlab-ssl

@@ -67,6 +67,14 @@ server {
   ssl_session_timeout 5m;
 
   ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
   add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
   add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
 

assets/runtime/env-defaults

@@ -182,6 +182,8 @@ NGINX_SERVER_NAMES_HASH_BUCKET_SIZE=${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE:-32};
 NGINX_WORKERS=${NGINX_WORKERS:-1}
 NGINX_ACCEL_BUFFERING=${NGINX_ACCEL_BUFFERING:-no}
 NGINX_PROXY_BUFFERING=${NGINX_PROXY_BUFFERING:-off}
+NGINX_REAL_IP_RECURSIVE=${NGINX_REAL_IP_RECURSIVE:-off}
+NGINX_REAL_IP_TRUSTED_ADDRESSES=${NGINX_REAL_IP_TRUSTED_ADDRESSES:-}
 case ${GITLAB_HTTPS} in
   true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;;
   *)    NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;;

assets/runtime/functions

@@ -1034,6 +1034,21 @@ nginx_configure_gitlab_hsts() {
    fi
  }
 
+nginx_configure_gitlab_real_ip() {
+  if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
+     -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
+    echo "Configuring nginx::gitlab::real_ip..."
+    update_template ${GITLAB_NGINX_CONFIG} \
+      NGINX_REAL_IP_RECURSIVE \
+      NGINX_REAL_IP_TRUSTED_ADDRESSES
+  else
+    NGINX_REAL_IP_RECURSIVE="off"
+    update_template ${GITLAB_NGINX_CONFIG} \
+      NGINX_REAL_IP_RECURSIVE
+    sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
+  fi
+}
+
 nginx_configure_gitlab() {
   echo "Configuring nginx::gitlab..."
   update_template ${GITLAB_NGINX_CONFIG} \
@@ -1048,6 +1063,7 @@ nginx_configure_gitlab() {
   nginx_configure_gitlab_ssl
   nginx_configure_gitlab_hsts
   nginx_configure_gitlab_ipv6
+  nginx_configure_gitlab_real_ip
 }
 
 nginx_configure_gitlab_ci() {