helmchart/wordpress
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat: Add configurable real IP forwarding for bare-metal clusters
All checks were successful
Helm Chart Release / release-chart (push) Successful in 12s
Details
Update Docker Images and Helm Chart / update (push) Successful in 22s
Details

Browse Source 
Implement a new nginx.forwardRealIP configuration flag to enable/disable
real client IP extraction from X-Forwarded-For headers on bare-metal clusters.

Changes:
- Added nginx.forwardRealIP.enabled flag (default: false) to values.yaml
- Added nginx.forwardRealIP.trustedProxies list for flexible proxy IP ranges
- Updated Nginx configmap to conditionally apply real IP extraction settings
- Updated FastCGI parameters to use real IP when enabled, direct connection IP otherwise
- Updated WordPress wp-config.php to conditionally extract real IPs from headers

Configuration:
- When enabled: Extracts real client IP from X-Forwarded-For header
- When disabled: Uses direct connection IP (default Nginx behavior)
- Supports custom proxy IP ranges for CloudFlare, AWS ALB, etc.

This allows Helmchart to work seamlessly on both:
1. Bare-metal clusters with iptables load balancing
2. Cloud-managed clusters with proper IP forwarding

Version bumped to 6.9.0-a (WordPress version with implementation suffix)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-02-10 14:10:14 +09:00
parent 2f4a6092e8
commit 31935a5c68
4 changed files with 39 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Chart.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: v2
name: wordpress-nginx name: wordpress-nginx
description: WordPress with Nginx and PHP-FPM on Kubernetes description: WordPress with Nginx and PHP-FPM on Kubernetes
type: application type: application
version: 6.9.3 version: 6.9.3-a
appVersion: "6.9.0" appVersion: "6.9.0"
keywords: keywords:
- wordpress - wordpress

19
templates/configmap.yaml
View File

@@ -10,11 +10,13 @@ data:
server 127.0.0.1:9000; server 127.0.0.1:9000;
} }
{{- if .Values.nginx.forwardRealIP.enabled }}
# 実IPアドレスの抽出X-Forwarded-Forから最初のIPを取得 # 実IPアドレスの抽出X-Forwarded-Forから最初のIPを取得
map $http_x_forwarded_for $real_ip { map $http_x_forwarded_for $real_ip {
~^(\d+\.\d+\.\d+\.\d+) $1; ~^(\d+\.\d+\.\d+\.\d+) $1;
default $remote_addr; default $remote_addr;
} }
{{- end }}
# HTTPSプロトコルの判定 # HTTPSプロトコルの判定
map $http_x_forwarded_proto $fastcgi_https { map $http_x_forwarded_proto $fastcgi_https {
@@ -34,12 +36,14 @@ data:
client_max_body_size 64M; client_max_body_size 64M;
{{- if .Values.nginx.forwardRealIP.enabled }}
# 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用 # 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
set_real_ip_from 10.0.0.0/8; {{- range .Values.nginx.forwardRealIP.trustedProxies }}
set_real_ip_from 172.16.0.0/12; set_real_ip_from {{ . }};
set_real_ip_from 192.168.0.0/16; {{- end }}
real_ip_recursive on; real_ip_recursive on;
{{- end }}
location = /favicon.ico { location = /favicon.ico {
log_not_found off; log_not_found off;
@@ -78,11 +82,18 @@ data:
# HTTPS対応重要: WordPressのis_ssl()判定に必要) # HTTPS対応重要: WordPressのis_ssl()判定に必要)
fastcgi_param HTTPS $fastcgi_https if_not_empty; fastcgi_param HTTPS $fastcgi_https if_not_empty;
# プロキシ経由のリクエスト情報をPHPに伝える {{- if .Values.nginx.forwardRealIP.enabled }}
# プロキシ経由のリクエスト情報をPHPに伝えるリアルIP取得有効時
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto; fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for; fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
fastcgi_param HTTP_X_REAL_IP $real_ip; fastcgi_param HTTP_X_REAL_IP $real_ip;
fastcgi_param REMOTE_ADDR $real_ip; fastcgi_param REMOTE_ADDR $real_ip;
{{- else }}
# プロキシ経由のリクエスト情報をPHPに伝えるリアルIP取得無効時
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
fastcgi_param REMOTE_ADDR $remote_addr;
{{- end }}
# タイムアウト設定 # タイムアウト設定
fastcgi_read_timeout 300; fastcgi_read_timeout 300;

6
templates/deployment.yaml
View File

@@ -69,11 +69,15 @@ spec:
$_SERVER['HTTPS'] = 'on'; $_SERVER['HTTPS'] = 'on';
} }
// Add Trusted Proxy (WordPress 5.9+) {{- if .Values.nginx.forwardRealIP.enabled }}
// Add Trusted Proxy - Extract Real Client IP from X-Forwarded-For header
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); $forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$_SERVER['REMOTE_ADDR'] = trim($forwarded_ips[0]); $_SERVER['REMOTE_ADDR'] = trim($forwarded_ips[0]);
} elseif (isset($_SERVER['HTTP_X_REAL_IP'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
} }
{{- end }}
$protocol = 'http'; $protocol = 'http';
if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) { if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) {

32
values.yaml
View File

@@ -45,26 +45,20 @@ wordpress:
# google.com, pub-0000000000000000, DIRECT, f08c47fec0942fa0 # google.com, pub-0000000000000000, DIRECT, f08c47fec0942fa0
nginx: nginx:
# ベアメタルクラスター等でリアルIPを取得する設定
# ローカルIPベアメタル等から訪問者のリアルIPを取得する場合に有効にします
forwardRealIP:
enabled: false
# 信頼できるプロキシのIPレンジを追加してください
trustedProxies:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# CloudflareやAWS ALB等を使っている場合は以下のIPレンジも追加してください
# - 173.245.48.0/20
# - 103.21.244.0/22
extraConfig: | extraConfig: |
# リアルIPの取得設定
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# Kubernetesクラスタ内のIPレンジを信頼
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
# CloudflareやAWS ALB等を使っている場合は追加
# set_real_ip_from 173.245.48.0/20;
# set_real_ip_from 103.21.244.0/22;
# ... (Cloudflareの他のIPレンジ)
# FastCGIパラメータにリアルIPを渡す
fastcgiParams:
REMOTE_ADDR: $remote_addr
HTTP_X_REAL_IP: $realip_remote_addr
HTTP_X_FORWARDED_FOR: $proxy_add_x_forwarded_for
# Service設定 # Service設定
service: service: