feat: Add configurable real IP forwarding for bare-metal clusters

Implement a new nginx.forwardRealIP configuration flag to enable/disable
real client IP extraction from X-Forwarded-For headers on bare-metal clusters.

Changes:
- Added nginx.forwardRealIP.enabled flag (default: false) to values.yaml
- Added nginx.forwardRealIP.trustedProxies list for flexible proxy IP ranges
- Updated Nginx configmap to conditionally apply real IP extraction settings
- Updated FastCGI parameters to use real IP when enabled, direct connection IP otherwise
- Updated WordPress wp-config.php to conditionally extract real IPs from headers

Configuration:
- When enabled: Extracts real client IP from X-Forwarded-For header
- When disabled: Uses direct connection IP (default Nginx behavior)
- Supports custom proxy IP ranges for CloudFlare, AWS ALB, etc.

This allows Helmchart to work seamlessly on both:
1. Bare-metal clusters with iptables load balancing
2. Cloud-managed clusters with proper IP forwarding

Version bumped to 6.9.0-a (WordPress version with implementation suffix)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: wordpress-nginx
 description: WordPress with Nginx and PHP-FPM on Kubernetes
 type: application
-version: 6.9.3
+version: 6.9.3-a
 appVersion: "6.9.0"
 keywords:
   - wordpress

templates/configmap.yaml

@@ -10,11 +10,13 @@ data:
         server 127.0.0.1:9000;
     }
 
+    {{- if .Values.nginx.forwardRealIP.enabled }}
     # 実IPアドレスの抽出（X-Forwarded-Forから最初のIPを取得）
     map $http_x_forwarded_for $real_ip {
         ~^(\d+\.\d+\.\d+\.\d+) $1;
         default $remote_addr;
     }
+    {{- end }}
 
     # HTTPSプロトコルの判定
     map $http_x_forwarded_proto $fastcgi_https {
@@ -25,7 +27,7 @@ data:
     server {
         listen 80;
         server_name _;
-        
+
         root /var/www/html;
         index index.php index.html;
 
@@ -34,12 +36,14 @@ data:
 
         client_max_body_size 64M;
 
+        {{- if .Values.nginx.forwardRealIP.enabled }}
         # 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用
         real_ip_header X-Forwarded-For;
-        set_real_ip_from 10.0.0.0/8;
+        {{- range .Values.nginx.forwardRealIP.trustedProxies }}
-        set_real_ip_from 172.16.0.0/12;
+        set_real_ip_from {{ . }};
-        set_real_ip_from 192.168.0.0/16;
+        {{- end }}
         real_ip_recursive on;
+        {{- end }}
 
         location = /favicon.ico {
             log_not_found off;
@@ -69,20 +73,27 @@ data:
             
             # FastCGIパラメータの読み込み
             include fastcgi_params;
-            
+
             # 基本的なFastCGIパラメータ
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $fastcgi_path_info;
             fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
-            
+
             # HTTPS対応（重要: WordPressのis_ssl()判定に必要）
             fastcgi_param HTTPS $fastcgi_https if_not_empty;
-            
+
-            # プロキシ経由のリクエスト情報をPHPに伝える
+            {{- if .Values.nginx.forwardRealIP.enabled }}
+            # プロキシ経由のリクエスト情報をPHPに伝える（リアルIP取得有効時）
             fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
             fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
             fastcgi_param HTTP_X_REAL_IP $real_ip;
             fastcgi_param REMOTE_ADDR $real_ip;
+            {{- else }}
+            # プロキシ経由のリクエスト情報をPHPに伝える（リアルIP取得無効時）
+            fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
+            fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
+            fastcgi_param REMOTE_ADDR $remote_addr;
+            {{- end }}
             
             # タイムアウト設定
             fastcgi_read_timeout 300;

templates/deployment.yaml

@@ -68,12 +68,16 @@ spec:
               if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
                   $_SERVER['HTTPS'] = 'on';
               }
-              
+
-              // Add Trusted Proxy (WordPress 5.9+)
+              {{- if .Values.nginx.forwardRealIP.enabled }}
+              // Add Trusted Proxy - Extract Real Client IP from X-Forwarded-For header
               if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                   $forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
                   $_SERVER['REMOTE_ADDR'] = trim($forwarded_ips[0]);
+              } elseif (isset($_SERVER['HTTP_X_REAL_IP'])) {
+                  $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
               }
+              {{- end }}
 
               $protocol = 'http';
               if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) {

values.yaml

@@ -45,26 +45,20 @@ wordpress:
       # google.com, pub-0000000000000000, DIRECT, f08c47fec0942fa0
 
 nginx:
-  extraConfig: |
+  # ベアメタルクラスター等でリアルIPを取得する設定
-    # リアルIPの取得設定
+  # ローカルIP（ベアメタル等）から訪問者のリアルIPを取得する場合に有効にします
-    real_ip_header X-Forwarded-For;
+  forwardRealIP:
-    real_ip_recursive on;
+    enabled: false
-    
+    # 信頼できるプロキシのIPレンジを追加してください
-    # Kubernetesクラスタ内のIPレンジを信頼
+    trustedProxies:
-    set_real_ip_from 10.0.0.0/8;
+      - 10.0.0.0/8
-    set_real_ip_from 172.16.0.0/12;
+      - 172.16.0.0/12
-    set_real_ip_from 192.168.0.0/16;
+      - 192.168.0.0/16
-    
+    # CloudflareやAWS ALB等を使っている場合は以下のIPレンジも追加してください
-    # CloudflareやAWS ALB等を使っている場合は追加
+    # - 173.245.48.0/20
-    # set_real_ip_from 173.245.48.0/20;
+    # - 103.21.244.0/22
-    # set_real_ip_from 103.21.244.0/22;
-    # ... (Cloudflareの他のIPレンジ)
 
-  # FastCGIパラメータにリアルIPを渡す
+  extraConfig: |
-  fastcgiParams:
-    REMOTE_ADDR: $remote_addr
-    HTTP_X_REAL_IP: $realip_remote_addr
-    HTTP_X_FORWARDED_FOR: $proxy_add_x_forwarded_for
 
 # Service設定
 service: