feat: Add configurable real IP forwarding for bare-metal clusters
Implement a new nginx.forwardRealIP configuration flag to enable/disable real client IP extraction from X-Forwarded-For headers on bare-metal clusters. Changes: - Added nginx.forwardRealIP.enabled flag (default: false) to values.yaml - Added nginx.forwardRealIP.trustedProxies list for flexible proxy IP ranges - Updated Nginx configmap to conditionally apply real IP extraction settings - Updated FastCGI parameters to use real IP when enabled, direct connection IP otherwise - Updated WordPress wp-config.php to conditionally extract real IPs from headers Configuration: - When enabled: Extracts real client IP from X-Forwarded-For header - When disabled: Uses direct connection IP (default Nginx behavior) - Supports custom proxy IP ranges for CloudFlare, AWS ALB, etc. This allows Helmchart to work seamlessly on both: 1. Bare-metal clusters with iptables load balancing 2. Cloud-managed clusters with proper IP forwarding Version bumped to 6.9.0-a (WordPress version with implementation suffix) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -68,12 +68,16 @@ spec:
|
||||
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
|
||||
$_SERVER['HTTPS'] = 'on';
|
||||
}
|
||||
|
||||
// Add Trusted Proxy (WordPress 5.9+)
|
||||
|
||||
{{- if .Values.nginx.forwardRealIP.enabled }}
|
||||
// Add Trusted Proxy - Extract Real Client IP from X-Forwarded-For header
|
||||
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
||||
$forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
|
||||
$_SERVER['REMOTE_ADDR'] = trim($forwarded_ips[0]);
|
||||
} elseif (isset($_SERVER['HTTP_X_REAL_IP'])) {
|
||||
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
$protocol = 'http';
|
||||
if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) {
|
||||
|
||||
Reference in New Issue
Block a user