From 85e6d308449607ea6230970bc1367e6009f674e6 Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Wed, 21 Jun 2017 00:38:54 -0400
Subject: [PATCH] Improve variable configuration for source IP address

---
 controllers/nginx/configuration.md            |  2 +-
 controllers/nginx/pkg/config/config.go        |  4 ++--
 controllers/nginx/pkg/config/config_test.go   |  4 ++--
 .../rootfs/etc/nginx/template/nginx.tmpl      | 20 ++++++++++---------
 4 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md
index 48be84daeb..c870113779 100644
--- a/controllers/nginx/configuration.md
+++ b/controllers/nginx/configuration.md
@@ -462,7 +462,7 @@ The following table shows the options, the default value and a description.
 |ignore-invalid-headers|"true"|
 |keep-alive|"75"| 
 |log-format-stream|[$time_local] $protocol $status $bytes_sent $bytes_received $session_time|
-|log-format-upstream|[$the_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status|
+|log-format-upstream|[$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status|
 |map-hash-bucket-size|"64"|
 |max-worker-connections|"16384"|
 |proxy-body-size|same as body-size|
diff --git a/controllers/nginx/pkg/config/config.go b/controllers/nginx/pkg/config/config.go
index f555df7fbf..6af823b10b 100644
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@@ -48,7 +48,7 @@ const (
 
 	gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
 
-	logFormatUpstream = `%v - [$the_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
+	logFormatUpstream = `%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
 
 	logFormatStream = `[$time_local] $protocol $status $bytes_sent $bytes_received $session_time`
 
@@ -365,7 +365,7 @@ func NewDefault() Configuration {
 // is enabled.
 func (cfg Configuration) BuildLogFormatUpstream() string {
 	if cfg.LogFormatUpstream == logFormatUpstream {
-		return fmt.Sprintf(cfg.LogFormatUpstream, "$the_x_forwarded_for")
+		return fmt.Sprintf(cfg.LogFormatUpstream, "$the_real_ip")
 	}
 
 	return cfg.LogFormatUpstream
diff --git a/controllers/nginx/pkg/config/config_test.go b/controllers/nginx/pkg/config/config_test.go
index f0a511c8e5..2c730d71e0 100644
--- a/controllers/nginx/pkg/config/config_test.go
+++ b/controllers/nginx/pkg/config/config_test.go
@@ -28,8 +28,8 @@ func TestBuildLogFormatUpstream(t *testing.T) {
 		curLogFormat     string
 		expected         string
 	}{
-		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
-		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
+		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_real_ip")},
+		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_real_ip")},
 		{true, "my-log-format", "my-log-format"},
 		{false, "john-log-format", "john-log-format"},
 	}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 419e27f0d5..99bc207656 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -135,15 +135,17 @@ http {
        ''                $server_port;
     }
 
-    map $pass_access_scheme $the_x_forwarded_for {
-       default           $remote_addr;
-       https             $proxy_protocol_addr;
+    {{ if $cfg.UseProxyProtocol }}
+    map $http_x_forwarded_for $the_real_ip {
+        default          $http_x_forwarded_for;
+        ''               $proxy_protocol_addr;
     }
-
-    map $pass_access_scheme $the_real_ip {
-       default           $remote_addr;
-       https             $proxy_protocol_addr;
+    {{ else }}
+    map $http_x_forwarded_for $the_real_ip {
+        default          $http_x_forwarded_for;
+        ''               $remote_addr;
     }
+    {{ end }}
 
     # map port 442 to 443 for header X-Forwarded-Port
     map $pass_server_port $pass_port {
@@ -394,7 +396,7 @@ http {
             proxy_set_header                        Connection        $connection_upgrade;
 
             proxy_set_header X-Real-IP              $the_real_ip;
-            proxy_set_header X-Forwarded-For        $the_x_forwarded_for;
+            proxy_set_header X-Forwarded-For        $the_real_ip;
             proxy_set_header X-Forwarded-Host       $best_http_host;
             proxy_set_header X-Forwarded-Port       $pass_port;
             proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
@@ -564,7 +566,7 @@ stream {
 
     server {
         listen                  {{ $udpServer.Port }} udp;
-        {{ if $IsIPV6Enabled }}listen                  [::]:{{ $udpServer.Port }} udp;{{ end }} 
+        {{ if $IsIPV6Enabled }}listen                  [::]:{{ $udpServer.Port }} udp;{{ end }}
         proxy_responses         1;
         proxy_pass              udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
     }