feat: Add configurable real IP forwarding for bare-metal clusters
Implement a new nginx.forwardRealIP configuration flag to enable/disable real client IP extraction from X-Forwarded-For headers on bare-metal clusters. Changes: - Added nginx.forwardRealIP.enabled flag (default: false) to values.yaml - Added nginx.forwardRealIP.trustedProxies list for flexible proxy IP ranges - Updated Nginx configmap to conditionally apply real IP extraction settings - Updated FastCGI parameters to use real IP when enabled, direct connection IP otherwise - Updated WordPress wp-config.php to conditionally extract real IPs from headers Configuration: - When enabled: Extracts real client IP from X-Forwarded-For header - When disabled: Uses direct connection IP (default Nginx behavior) - Supports custom proxy IP ranges for CloudFlare, AWS ALB, etc. This allows Helmchart to work seamlessly on both: 1. Bare-metal clusters with iptables load balancing 2. Cloud-managed clusters with proper IP forwarding Version bumped to 6.9.0-a (WordPress version with implementation suffix) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: wordpress-nginx
|
||||
description: WordPress with Nginx and PHP-FPM on Kubernetes
|
||||
type: application
|
||||
version: 6.9.3
|
||||
version: 6.9.3-a
|
||||
appVersion: "6.9.0"
|
||||
keywords:
|
||||
- wordpress
|
||||
|
||||
@@ -10,11 +10,13 @@ data:
|
||||
server 127.0.0.1:9000;
|
||||
}
|
||||
|
||||
{{- if .Values.nginx.forwardRealIP.enabled }}
|
||||
# 実IPアドレスの抽出(X-Forwarded-Forから最初のIPを取得)
|
||||
map $http_x_forwarded_for $real_ip {
|
||||
~^(\d+\.\d+\.\d+\.\d+) $1;
|
||||
default $remote_addr;
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
# HTTPSプロトコルの判定
|
||||
map $http_x_forwarded_proto $fastcgi_https {
|
||||
@@ -25,7 +27,7 @@ data:
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
|
||||
|
||||
root /var/www/html;
|
||||
index index.php index.html;
|
||||
|
||||
@@ -34,12 +36,14 @@ data:
|
||||
|
||||
client_max_body_size 64M;
|
||||
|
||||
{{- if .Values.nginx.forwardRealIP.enabled }}
|
||||
# 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用
|
||||
real_ip_header X-Forwarded-For;
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
{{- range .Values.nginx.forwardRealIP.trustedProxies }}
|
||||
set_real_ip_from {{ . }};
|
||||
{{- end }}
|
||||
real_ip_recursive on;
|
||||
{{- end }}
|
||||
|
||||
location = /favicon.ico {
|
||||
log_not_found off;
|
||||
@@ -69,20 +73,27 @@ data:
|
||||
|
||||
# FastCGIパラメータの読み込み
|
||||
include fastcgi_params;
|
||||
|
||||
|
||||
# 基本的なFastCGIパラメータ
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
|
||||
|
||||
|
||||
# HTTPS対応(重要: WordPressのis_ssl()判定に必要)
|
||||
fastcgi_param HTTPS $fastcgi_https if_not_empty;
|
||||
|
||||
# プロキシ経由のリクエスト情報をPHPに伝える
|
||||
|
||||
{{- if .Values.nginx.forwardRealIP.enabled }}
|
||||
# プロキシ経由のリクエスト情報をPHPに伝える(リアルIP取得有効時)
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
|
||||
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
|
||||
fastcgi_param HTTP_X_REAL_IP $real_ip;
|
||||
fastcgi_param REMOTE_ADDR $real_ip;
|
||||
{{- else }}
|
||||
# プロキシ経由のリクエスト情報をPHPに伝える(リアルIP取得無効時)
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
|
||||
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
|
||||
fastcgi_param REMOTE_ADDR $remote_addr;
|
||||
{{- end }}
|
||||
|
||||
# タイムアウト設定
|
||||
fastcgi_read_timeout 300;
|
||||
|
||||
@@ -68,12 +68,16 @@ spec:
|
||||
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
|
||||
$_SERVER['HTTPS'] = 'on';
|
||||
}
|
||||
|
||||
// Add Trusted Proxy (WordPress 5.9+)
|
||||
|
||||
{{- if .Values.nginx.forwardRealIP.enabled }}
|
||||
// Add Trusted Proxy - Extract Real Client IP from X-Forwarded-For header
|
||||
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
|
||||
$forwarded_ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
|
||||
$_SERVER['REMOTE_ADDR'] = trim($forwarded_ips[0]);
|
||||
} elseif (isset($_SERVER['HTTP_X_REAL_IP'])) {
|
||||
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
$protocol = 'http';
|
||||
if ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) {
|
||||
|
||||
32
values.yaml
32
values.yaml
@@ -45,26 +45,20 @@ wordpress:
|
||||
# google.com, pub-0000000000000000, DIRECT, f08c47fec0942fa0
|
||||
|
||||
nginx:
|
||||
extraConfig: |
|
||||
# リアルIPの取得設定
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
|
||||
# Kubernetesクラスタ内のIPレンジを信頼
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.16.0.0/12;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
|
||||
# CloudflareやAWS ALB等を使っている場合は追加
|
||||
# set_real_ip_from 173.245.48.0/20;
|
||||
# set_real_ip_from 103.21.244.0/22;
|
||||
# ... (Cloudflareの他のIPレンジ)
|
||||
# ベアメタルクラスター等でリアルIPを取得する設定
|
||||
# ローカルIP(ベアメタル等)から訪問者のリアルIPを取得する場合に有効にします
|
||||
forwardRealIP:
|
||||
enabled: false
|
||||
# 信頼できるプロキシのIPレンジを追加してください
|
||||
trustedProxies:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
# CloudflareやAWS ALB等を使っている場合は以下のIPレンジも追加してください
|
||||
# - 173.245.48.0/20
|
||||
# - 103.21.244.0/22
|
||||
|
||||
# FastCGIパラメータにリアルIPを渡す
|
||||
fastcgiParams:
|
||||
REMOTE_ADDR: $remote_addr
|
||||
HTTP_X_REAL_IP: $realip_remote_addr
|
||||
HTTP_X_FORWARDED_FOR: $proxy_add_x_forwarded_for
|
||||
extraConfig: |
|
||||
|
||||
# Service設定
|
||||
service:
|
||||
|
||||
Reference in New Issue
Block a user