helmchart/wordpress
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
v6.9.1
wordpress/templates/configmap.yaml
Claude 31935a5c68
All checks were successful
Helm Chart Release / release-chart (push) Successful in 12s
Details
Update Docker Images and Helm Chart / update (push) Successful in 22s
Details
feat: Add configurable real IP forwarding for bare-metal clusters 
Implement a new nginx.forwardRealIP configuration flag to enable/disable
real client IP extraction from X-Forwarded-For headers on bare-metal clusters.

Changes:
- Added nginx.forwardRealIP.enabled flag (default: false) to values.yaml
- Added nginx.forwardRealIP.trustedProxies list for flexible proxy IP ranges
- Updated Nginx configmap to conditionally apply real IP extraction settings
- Updated FastCGI parameters to use real IP when enabled, direct connection IP otherwise
- Updated WordPress wp-config.php to conditionally extract real IPs from headers

Configuration:
- When enabled: Extracts real client IP from X-Forwarded-For header
- When disabled: Uses direct connection IP (default Nginx behavior)
- Supports custom proxy IP ranges for CloudFlare, AWS ALB, etc.

This allows Helmchart to work seamlessly on both:
1. Bare-metal clusters with iptables load balancing
2. Cloud-managed clusters with proper IP forwarding

Version bumped to 6.9.0-a (WordPress version with implementation suffix)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-10 14:11:02 +09:00

132 lines
4.1 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "wordpress-nginx.fullname" . }}-nginx-config
labels:
{{- include "wordpress-nginx.labels" . | nindent 4 }}
data:
default.conf: |
upstream php {
server 127.0.0.1:9000;
}
{{- if .Values.nginx.forwardRealIP.enabled }}
# 実IPアドレスの抽出X-Forwarded-Forから最初のIPを取得
map $http_x_forwarded_for $real_ip {
~^(\d+\.\d+\.\d+\.\d+) $1;
default $remote_addr;
}
{{- end }}
# HTTPSプロトコルの判定
map $http_x_forwarded_proto $fastcgi_https {
default '';
https on;
}
server {
listen 80;
server_name _;
root /var/www/html;
index index.php index.html;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 64M;
{{- if .Values.nginx.forwardRealIP.enabled }}
# 信頼できるプロキシからのX-Forwarded-Forヘッダーを使用
real_ip_header X-Forwarded-For;
{{- range .Values.nginx.forwardRealIP.trustedProxies }}
set_real_ip_from {{ . }};
{{- end }}
real_ip_recursive on;
{{- end }}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# WordPressのパーマリンク対応
location / {
try_files $uri $uri/ /index.php?$args;
}
# PHPファイルの処理
location ~ \.php$ {
# ファイルが存在しない場合は404
try_files $uri =404;
# FastCGI設定
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# FastCGIパラメータの読み込み
include fastcgi_params;
# 基本的なFastCGIパラメータ
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
# HTTPS対応重要: WordPressのis_ssl()判定に必要)
fastcgi_param HTTPS $fastcgi_https if_not_empty;
{{- if .Values.nginx.forwardRealIP.enabled }}
# プロキシ経由のリクエスト情報をPHPに伝えるリアルIP取得有効時
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
fastcgi_param HTTP_X_REAL_IP $real_ip;
fastcgi_param REMOTE_ADDR $real_ip;
{{- else }}
# プロキシ経由のリクエスト情報をPHPに伝えるリアルIP取得無効時
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_FOR $http_x_forwarded_for;
fastcgi_param REMOTE_ADDR $remote_addr;
{{- end }}
# タイムアウト設定
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
fastcgi_connect_timeout 300;
# バッファ設定
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
# 静的ファイルのキャッシュ
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf)$ {
expires 1y;
add_header Cache-Control "public, immutable";
log_not_found off;
access_log off;
}
# wp-config.phpへの直接アクセス拒否
location ~* /wp-config\.php {
deny all;
}
# 隠しファイルへのアクセス拒否
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# XML-RPC DDoS対策必要に応じてコメント解除
# location = /xmlrpc.php {
# deny all;
# }
}
Reference in New Issue View Git Blame Copy Permalink