feat(proxy) support for the PROXY protocol

When `real_ip_header = proxy_protocol`, we enable the PROXY protocol support on the Nginx side, by appending the `proxy_procotol` option to the `listen` directive of the proxy server. Implement Kong#2240
qingbusheng · Apr 15, 2017 · fd7b477 · fd7b477
1 parent 1a1649c
commit fd7b477
Show file tree

Hide file tree

Showing 5 changed files with 376 additions and 144 deletions.
diff --git a/kong.conf.default b/kong.conf.default
@@ -147,21 +147,35 @@
                                  #
                                  # If the special value `unix:` is specified,
                                  # all UNIX-domain sockets will be trusted.
-# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html for
+# Note:
+#
+# See http://nginx.org/en/docs/http/ngx_http_realip_module.html for
 # examples of accepted values.
 
 #real_ip_header = X-Real-IP      # Defines the request header field whose value
                                  # will be used to replace the client address.
                                  # This value sets the ngx_http_realip_module
                                  # directive of the same name in the Nginx
                                  # configuration.
-# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
+                                 #
+                                 # If this value receives `proxy_protocol`, the
+                                 # `proxy_protocol` parameter will be appended
+                                 # to the `listen` directive of the Nginx
+                                 # template.
+# Note:
+#
+# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
 # for a description of this directive.
+#
+# See https://www.nginx.com/resources/admin-guide/proxy-protocol/ for more
+# details about the `proxy_protocol` parameter.
 
 #real_ip_recursive = off         # This value sets the ngx_http_realip_module
                                  # directive of the same name in the Nginx
                                  # configuration.
-# Note: See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
+# Note:
+#
+# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
 # for a description of this directive.
 
 #------------------------------------------------------------------------------

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -62,14 +62,22 @@ upstream kong_upstream {
 
 server {
     server_name kong;
+> if real_ip_header == "proxy_protocol" then
+    listen ${{PROXY_LISTEN}} proxy_protocol;
+> else
     listen ${{PROXY_LISTEN}};
+> end
     error_page 404 408 411 412 413 414 417 /kong_error_handler;
     error_page 500 502 503 504 /kong_error_handler;
 
     access_log logs/access.log;
 
 > if ssl then
+> if real_ip_header == "proxy_protocol" then
+    listen ${{PROXY_LISTEN_SSL}} proxy_protocol ssl;
+> else
     listen ${{PROXY_LISTEN_SSL}} ssl;
+> end
     ssl_certificate ${{SSL_CERT}};
     ssl_certificate_key ${{SSL_CERT_KEY}};
     ssl_protocols TLSv1.1 TLSv1.2;

diff --git a/spec/01-unit/03-prefix_handler_spec.lua b/spec/01-unit/03-prefix_handler_spec.lua
@@ -185,6 +185,15 @@ describe("NGINX conf compiler", function()
         assert.matches("set_real_ip_from%s+192.168.1.0",    nginx_conf)
         assert.matches("set_real_ip_from%s+2001:0db8::/32", nginx_conf)
       end)
+      it("proxy_protocol", function()
+        local conf = assert(conf_loader(nil, {
+          real_ip_header = "proxy_protocol"
+        }))
+        local nginx_conf = prefix_handler.compile_kong_conf(conf)
+        assert.matches("real_ip_header%s+proxy_protocol", nginx_conf)
+        assert.matches("listen 0.0.0.0:8000 proxy_protocol;", nginx_conf)
+        assert.matches("listen 0.0.0.0:8443 proxy_protocol ssl;", nginx_conf)
+      end)
     end)
   end)