From 521f632c06dd4226d2017dd5b1478b24662d954b Mon Sep 17 00:00:00 2001
From: 3kami3 <github@yumimix.org>
Date: Mon, 20 Mar 2017 21:20:27 +0900
Subject: [PATCH] Add $NGINX_REAL_IP_RECURSIVE and
 $NGINX_REAL_IP_TRUSTED_ADDRESSES

Configuring GitLab trusted_proxies and the NGINX real_ip module.
---
 README.md                              |  2 ++
 assets/runtime/config/nginx/gitlab     |  8 ++++++++
 assets/runtime/config/nginx/gitlab-ssl |  8 ++++++++
 assets/runtime/env-defaults            |  2 ++
 assets/runtime/functions               | 16 ++++++++++++++++
 5 files changed, 36 insertions(+)

diff --git a/README.md b/README.md
index 4a2b5943..67a62e30 100644
--- a/README.md
+++ b/README.md
@@ -866,6 +866,8 @@ Below is the complete list of available options that can be used to customize yo
 | `NGINX_PROXY_BUFFERING` | Enable `proxy_buffering`. Defaults to `off`. |
 | `NGINX_ACCEL_BUFFERING` | Enable `X-Accel-Buffering` header. Default to `no` |
 | `NGINX_X_FORWARDED_PROTO` | Advanced configuration option for the `proxy_set_header X-Forwarded-Proto` setting in the gitlab nginx vHost configuration. Defaults to `https` when `GITLAB_HTTPS` is `true`, else defaults to `$scheme`. |
+| `NGINX_REAL_IP_RECURSIVE` | set to `on` if docker container runs behind a reverse proxy,you may not want the IP address of the proxy to show up as the client address. `off` by default. |
+| `NGINX_REAL_IP_TRUSTED_ADDRESSES` | You can have NGINX look for a different address to use by adding your reverse proxy to the `NGINX_REAL_IP_TRUSTED_ADDRESSES`. Currently only a single entry is permitted. No defaults. |
 | `REDIS_HOST` | The hostname of the redis server. Defaults to `localhost` |
 | `REDIS_PORT` | The connection port of the redis server. Defaults to `6379`. |
 | `REDIS_DB_NUMBER` | The redis database number. Defaults to '0'. |
diff --git a/assets/runtime/config/nginx/gitlab b/assets/runtime/config/nginx/gitlab
index 6cba103b..ba5f5bcb 100644
--- a/assets/runtime/config/nginx/gitlab
+++ b/assets/runtime/config/nginx/gitlab
@@ -32,6 +32,14 @@ server {
   server_tokens off; ## Don't show the nginx version number, a security best practice
 
   ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
   add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
   add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
 
diff --git a/assets/runtime/config/nginx/gitlab-ssl b/assets/runtime/config/nginx/gitlab-ssl
index b0730bff..2922df04 100644
--- a/assets/runtime/config/nginx/gitlab-ssl
+++ b/assets/runtime/config/nginx/gitlab-ssl
@@ -62,6 +62,14 @@ server {
   ssl_session_timeout 5m;
 
   ## See app/controllers/application_controller.rb for headers set
+
+  ## Real IP Module Config
+  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
+  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
+  real_ip_recursive {{NGINX_REAL_IP_RECURSIVE}};    ## If you enable 'on'
+  ## If you have a trusted IP address, uncomment it and set it
+  set_real_ip_from {{NGINX_REAL_IP_TRUSTED_ADDRESSES}}; ## Replace this with something like 192.168.1.0/24
+
   add_header X-Accel-Buffering {{NGINX_ACCEL_BUFFERING}};
   add_header Strict-Transport-Security "max-age={{NGINX_HSTS_MAXAGE}};";
 
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index ec8940b7..de98bfd6 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -161,6 +161,8 @@ NGINX_SERVER_NAMES_HASH_BUCKET_SIZE=${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE:-32};
 NGINX_WORKERS=${NGINX_WORKERS:-1}
 NGINX_ACCEL_BUFFERING=${NGINX_ACCEL_BUFFERING:-no}
 NGINX_PROXY_BUFFERING=${NGINX_PROXY_BUFFERING:-off}
+NGINX_REAL_IP_RECURSIVE=${NGINX_REAL_IP_RECURSIVE:-off}
+NGINX_REAL_IP_TRUSTED_ADDRESSES=${NGINX_REAL_IP_TRUSTED_ADDRESSES:-}
 case ${GITLAB_HTTPS} in
   true) NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-https} ;;
   *)    NGINX_X_FORWARDED_PROTO=${NGINX_X_FORWARDED_PROTO:-\$scheme} ;;
diff --git a/assets/runtime/functions b/assets/runtime/functions
index ac2bab4c..2952211f 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -902,6 +902,21 @@ nginx_configure_gitlab_ipv6() {
   fi
 }
 
+nginx_configure_gitlab_real_ip() {
+  if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
+     -n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
+    echo "Configuring nginx::gitlab::real_ip..."
+    update_template ${GITLAB_NGINX_CONFIG} \
+      NGINX_REAL_IP_RECURSIVE \
+      NGINX_REAL_IP_TRUSTED_ADDRESSES
+  else
+    NGINX_REAL_IP_RECURSIVE="off"
+    update_template ${GITLAB_NGINX_CONFIG} \
+      NGINX_REAL_IP_RECURSIVE
+    sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
+  fi
+}
+
 nginx_configure_gitlab() {
   echo "Configuring nginx::gitlab..."
   update_template ${GITLAB_NGINX_CONFIG} \
@@ -916,6 +931,7 @@ nginx_configure_gitlab() {
   nginx_configure_gitlab_ssl
   nginx_configure_gitlab_hsts
   nginx_configure_gitlab_ipv6
+  nginx_configure_gitlab_real_ip
 }
 
 nginx_configure_gitlab_ci() {