From b530af4921f40dba84ae8c4db07a54a4c1412701 Mon Sep 17 00:00:00 2001
From: pieter <pieter@noreply.git.cafepieters.com>
Date: Fri, 28 Nov 2025 11:24:37 +0000
Subject: [PATCH] =?UTF-8?q?templates/configmap.yaml=20=E3=82=92=E6=9B=B4?=
 =?UTF-8?q?=E6=96=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 templates/configmap.yaml | 51 ++++++++++++++++++++++------------------
 1 file changed, 28 insertions(+), 23 deletions(-)

diff --git a/templates/configmap.yaml b/templates/configmap.yaml
index 4e554e4..b81a35b 100644
--- a/templates/configmap.yaml
+++ b/templates/configmap.yaml
@@ -10,6 +10,18 @@ data:
         server 127.0.0.1:9000;
     }
 
+    # Ingress/LBからのリアルIPを取得
+    map $http_x_forwarded_for $real_ip {
+        ~^(\d+\.\d+\.\d+\.\d+) $1;
+        default $remote_addr;
+    }
+
+    # プロトコル判定（HTTP or HTTPS）
+    map $http_x_forwarded_proto $fastcgi_https {
+        default '';
+        https on;
+    }
+
     server {
         listen 80;
         server_name _;
@@ -21,9 +33,12 @@ data:
 
         client_max_body_size 64M;
 
-        # リアルIPの取得（LoadBalancer/Ingress経由の場合）
+        # リアルIP設定
         real_ip_header X-Forwarded-For;
-        set_real_ip_from 0.0.0.0/0;
+        set_real_ip_from 10.0.0.0/8;
+        set_real_ip_from 172.16.0.0/12;
+        set_real_ip_from 192.168.0.0/16;
+        real_ip_recursive on;
 
         location / {
             try_files $uri $uri/ /index.php?$args;
@@ -36,35 +51,25 @@ data:
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $fastcgi_path_info;
+            
+            # HTTPSリバースプロキシ対応
+            fastcgi_param HTTPS $fastcgi_https;
+            fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
+            fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
+            fastcgi_param HTTP_X_FORWARDED_HOST $http_x_forwarded_host;
+            fastcgi_param HTTP_X_REAL_IP $real_ip;
+            fastcgi_param REMOTE_ADDR $real_ip;
+            fastcgi_param SERVER_PORT $http_x_forwarded_port;
+            
             fastcgi_buffering off;
             fastcgi_read_timeout 300;
-
-            # HTTPS対応（重要）
-            fastcgi_param HTTPS $https if_not_empty;
-            fastcgi_param REQUEST_SCHEME $scheme;
-            
-            # X-Forwarded-*ヘッダーの転送
-            fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
-            fastcgi_param HTTP_X_FORWARDED_HOST $http_x_forwarded_host;
-            fastcgi_param HTTP_X_FORWARDED_PORT $http_x_forwarded_port;
-            fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
-            fastcgi_param HTTP_X_REAL_IP $http_x_real_ip;
-
-            # HTTPSが検出された場合の明示的な設定
-            set $https_value "";
-            if ($http_x_forwarded_proto = "https") {
-                set $https_value "on";
-            }
-            if ($scheme = "https") {
-                set $https_value "on";
-            }
-            fastcgi_param HTTPS $https_value;
         }
 
         location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires max;
             log_not_found off;
             access_log off;
+            add_header Cache-Control "public, immutable";
         }
 
         location = /favicon.ico {