From 1c01297783e7c01bfba6ed582ae36427a7b6e1b1 Mon Sep 17 00:00:00 2001 From: Aapo Talvensaari Date: Wed, 12 Jul 2017 14:22:03 +0300 Subject: [PATCH] refactor(conf) add ${{PROXY_PROTOCOL}} template variable --- kong/cmd/utils/prefix_handler.lua | 1 + kong/templates/nginx_kong.lua | 12 +--- spec/01-unit/003-prefix_handler_spec.lua | 10 +++- .../05-proxy/02-upstream_headers_spec.lua | 60 +++++++++---------- spec/fixtures/custom_nginx.template | 12 +--- 5 files changed, 44 insertions(+), 51 deletions(-) diff --git a/kong/cmd/utils/prefix_handler.lua b/kong/cmd/utils/prefix_handler.lua index 5ed823c3462b..a6d0b581bcfc 100644 --- a/kong/cmd/utils/prefix_handler.lua +++ b/kong/cmd/utils/prefix_handler.lua @@ -111,6 +111,7 @@ local function compile_conf(kong_config, conf_template) compile_env.http2 = kong_config.http2 and " http2" or "" compile_env.admin_http2 = kong_config.admin_http2 and " http2" or "" + compile_env.proxy_protocol = kong_config.real_ip_header == "proxy_protocol" and " proxy_protocol" or "" local post_template = pl_template.substitute(conf_template, compile_env) return string.gsub(post_template, "(${%b{}})", function(w) diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua index fcaf0992773d..b831a785640d 100644 --- a/kong/templates/nginx_kong.lua +++ b/kong/templates/nginx_kong.lua @@ -65,11 +65,7 @@ upstream kong_upstream { server { server_name kong; -> if real_ip_header == "proxy_protocol" then - listen ${{PROXY_LISTEN}} proxy_protocol; -> else - listen ${{PROXY_LISTEN}}; -> end + listen ${{PROXY_LISTEN}}${{PROXY_PROTOCOL}}; error_page 400 404 408 411 412 413 414 417 /kong_error_handler; error_page 500 502 503 504 /kong_error_handler; @@ -79,11 +75,7 @@ server { client_body_buffer_size ${{CLIENT_BODY_BUFFER_SIZE}}; > if ssl then -> if real_ip_header == "proxy_protocol" then - listen ${{PROXY_LISTEN_SSL}} proxy_protocol ssl${{HTTP2}}; -> else - listen ${{PROXY_LISTEN_SSL}} ssl${{HTTP2}}; -> end + listen ${{PROXY_LISTEN_SSL}} ssl${{HTTP2}}${{PROXY_PROTOCOL}}; ssl_certificate ${{SSL_CERT}}; ssl_certificate_key ${{SSL_CERT_KEY}}; ssl_protocols TLSv1.1 TLSv1.2; diff --git a/spec/01-unit/003-prefix_handler_spec.lua b/spec/01-unit/003-prefix_handler_spec.lua index 1dcc107f26ad..2efb0be16903 100644 --- a/spec/01-unit/003-prefix_handler_spec.lua +++ b/spec/01-unit/003-prefix_handler_spec.lua @@ -107,6 +107,14 @@ describe("NGINX conf compiler", function() assert.matches("listen 0.0.0.0:9001;", kong_nginx_conf, nil, true) assert.matches("listen 0.0.0.0:8444 ssl http2;", kong_nginx_conf, nil, true) end) + it("enables proxy_protocol", function() + local conf = assert(conf_loader(helpers.test_conf_path, { + real_ip_header = "proxy_protocol", + })) + local kong_nginx_conf = prefix_handler.compile_kong_conf(conf) + assert.matches("listen 0.0.0.0:9000 proxy_protocol;", kong_nginx_conf, nil, true) + assert.matches("listen 0.0.0.0:9443 ssl proxy_protocol;", kong_nginx_conf, nil, true) + end) it("disables SSL", function() local conf = assert(conf_loader(helpers.test_conf_path, { ssl = false, @@ -279,7 +287,7 @@ describe("NGINX conf compiler", function() local nginx_conf = prefix_handler.compile_kong_conf(conf) assert.matches("real_ip_header%s+proxy_protocol", nginx_conf) assert.matches("listen 0.0.0.0:8000 proxy_protocol;", nginx_conf) - assert.matches("listen 0.0.0.0:8443 proxy_protocol ssl;", nginx_conf) + assert.matches("listen 0.0.0.0:8443 ssl proxy_protocol;", nginx_conf) end) end) end) diff --git a/spec/02-integration/05-proxy/02-upstream_headers_spec.lua b/spec/02-integration/05-proxy/02-upstream_headers_spec.lua index 0005d0342bd2..d05f633dbda6 100644 --- a/spec/02-integration/05-proxy/02-upstream_headers_spec.lua +++ b/spec/02-integration/05-proxy/02-upstream_headers_spec.lua @@ -622,12 +622,12 @@ describe("Upstream header(s)", function() it("should be changed according to rules if present in request", function() local sock = ngx.socket.tcp() local request = "PROXY TCP4 192.168.0.1 " .. helpers.test_conf.proxy_ip .. " 56324 " .. helpers.test_conf.proxy_port .. "\r\n" .. - "GET / HTTP/1.1\r\n" .. - "Host: headers-inspect.com\r\n" .. - "Connection: close\r\n" .. - "X-Real-IP: 10.0.0.2\r\n" .. - "X-Forwarded-For: 10.0.0.1, 127.0.0.2, 10.0.0.1, 192.168.0.1, 172.16.0.1\r\n" .. - "\r\n" + "GET / HTTP/1.1\r\n" .. + "Host: headers-inspect.com\r\n" .. + "Connection: close\r\n" .. + "X-Real-IP: 10.0.0.2\r\n" .. + "X-Forwarded-For: 10.0.0.1, 127.0.0.2, 10.0.0.1, 192.168.0.1, 172.16.0.1\r\n" .. + "\r\n" assert(sock:connect(helpers.test_conf.proxy_ip, helpers.test_conf.proxy_port)) assert(sock:send(request)) @@ -652,13 +652,13 @@ describe("Upstream header(s)", function() it("should be forwarded even if proxy protocol and X-Forwarded-For header has a port in it", function() local sock = ngx.socket.tcp() local request = "PROXY TCP4 192.168.0.1 " .. helpers.test_conf.proxy_ip .. " 56324 " .. helpers.test_conf.proxy_port .. "\r\n" .. - "GET / HTTP/1.1\r\n" .. - "Host: headers-inspect.com\r\n" .. - "Connection: close\r\n" .. - "X-Real-IP: 10.0.0.2\r\n" .. - "X-Forwarded-For: 127.0.0.1:14, 10.0.0.1:15, 192.168.0.1:16, 127.0.0.1:17, 172.16.0.1:18\r\n" .. - "X-Forwarded-Port: 14\r\n" .. - "\r\n" + "GET / HTTP/1.1\r\n" .. + "Host: headers-inspect.com\r\n" .. + "Connection: close\r\n" .. + "X-Real-IP: 10.0.0.2\r\n" .. + "X-Forwarded-For: 127.0.0.1:14, 10.0.0.1:15, 192.168.0.1:16, 127.0.0.1:17, 172.16.0.1:18\r\n" .. + "X-Forwarded-Port: 14\r\n" .. + "\r\n" assert(sock:connect(helpers.test_conf.proxy_ip, helpers.test_conf.proxy_port)) assert(sock:send(request)) @@ -697,10 +697,10 @@ describe("Upstream header(s)", function() it("should be added if not present in request", function() local sock = ngx.socket.tcp() local request = "PROXY TCP4 192.168.0.1 " .. helpers.test_conf.proxy_ip .. " 56324 " .. helpers.test_conf.proxy_port .. "\r\n" .. - "GET / HTTP/1.1\r\n" .. - "Host: headers-inspect.com\r\n" .. - "Connection: close\r\n" .. - "\r\n" + "GET / HTTP/1.1\r\n" .. + "Host: headers-inspect.com\r\n" .. + "Connection: close\r\n" .. + "\r\n" assert(sock:connect(helpers.test_conf.proxy_ip, helpers.test_conf.proxy_port)) assert(sock:send(request)) @@ -724,12 +724,12 @@ describe("Upstream header(s)", function() it("should be changed according to rules if present in request", function() local sock = ngx.socket.tcp() local request = "PROXY TCP4 192.168.0.1 " .. helpers.test_conf.proxy_ip .. " 56324 " .. helpers.test_conf.proxy_port .. "\r\n" .. - "GET / HTTP/1.1\r\n" .. - "Host: headers-inspect.com\r\n" .. - "Connection: close\r\n" .. - "X-Real-IP: 10.0.0.2\r\n" .. - "X-Forwarded-For: 10.0.0.1, 127.0.0.2, 10.0.0.1, 192.168.0.1, 172.16.0.1\r\n" .. - "\r\n" + "GET / HTTP/1.1\r\n" .. + "Host: headers-inspect.com\r\n" .. + "Connection: close\r\n" .. + "X-Real-IP: 10.0.0.2\r\n" .. + "X-Forwarded-For: 10.0.0.1, 127.0.0.2, 10.0.0.1, 192.168.0.1, 172.16.0.1\r\n" .. + "\r\n" assert(sock:connect(helpers.test_conf.proxy_ip, helpers.test_conf.proxy_port)) assert(sock:send(request)) @@ -754,13 +754,13 @@ describe("Upstream header(s)", function() it("should be replaced even if proxy protocol, X-Forwarded-Port and X-Forwarded-For headers have a port in it", function() local sock = ngx.socket.tcp() local request = "PROXY TCP4 192.168.0.1 " .. helpers.test_conf.proxy_ip .. " 56324 " .. helpers.test_conf.proxy_port .. "\r\n" .. - "GET / HTTP/1.1\r\n" .. - "Host: headers-inspect.com\r\n" .. - "Connection: close\r\n" .. - "X-Real-IP: 10.0.0.2\r\n" .. - "X-Forwarded-For: 127.0.0.1:14, 10.0.0.1:15, 192.168.0.1:16, 127.0.0.1:17, 172.16.0.1:18\r\n" .. - "X-Forwarded-Port: 14\r\n" .. - "\r\n" + "GET / HTTP/1.1\r\n" .. + "Host: headers-inspect.com\r\n" .. + "Connection: close\r\n" .. + "X-Real-IP: 10.0.0.2\r\n" .. + "X-Forwarded-For: 127.0.0.1:14, 10.0.0.1:15, 192.168.0.1:16, 127.0.0.1:17, 172.16.0.1:18\r\n" .. + "X-Forwarded-Port: 14\r\n" .. + "\r\n" assert(sock:connect(helpers.test_conf.proxy_ip, helpers.test_conf.proxy_port)) assert(sock:send(request)) diff --git a/spec/fixtures/custom_nginx.template b/spec/fixtures/custom_nginx.template index 5e4403080adb..16d9218a73db 100644 --- a/spec/fixtures/custom_nginx.template +++ b/spec/fixtures/custom_nginx.template @@ -77,11 +77,7 @@ http { server { server_name kong; -> if real_ip_header == "proxy_protocol" then - listen ${{PROXY_LISTEN}} proxy_protocol; -> else - listen ${{PROXY_LISTEN}}; -> end + listen ${{PROXY_LISTEN}}${{PROXY_PROTOCOL}}; error_page 400 404 408 411 412 413 414 417 /kong_error_handler; error_page 500 502 503 504 /kong_error_handler; @@ -90,11 +86,7 @@ http { client_body_buffer_size ${{CLIENT_BODY_BUFFER_SIZE}}; > if ssl then -> if real_ip_header == "proxy_protocol" then - listen ${{PROXY_LISTEN_SSL}} proxy_protocol ssl; -> else - listen ${{PROXY_LISTEN_SSL}} ssl; -> end + listen ${{PROXY_LISTEN_SSL}} ssl${{PROXY_PROTOCOL}}; ssl_certificate ${{SSL_CERT}}; ssl_certificate_key ${{SSL_CERT_KEY}}; ssl_protocols TLSv1.1 TLSv1.2;