SkyeYoung commented on code in PR #12551:
URL: https://github.com/apache/apisix/pull/12551#discussion_r2347932417
##########
apisix/cli/schema.lua:
##########
@@ -259,6 +259,14 @@ local config_schema = {
default = false,
description = "a global switch to disable upstream health
checks",
},
+ trusted_addresses = {
Review Comment:
Adding core.schema.ip_def doesn't seem to work.
https://github.com/apache/apisix/blob/8bb6802bd2b2ccd4dabe78e90beb8f87ec046035/apisix/schema_def.lua
depends on
https://github.com/apache/apisix/blob/0fd582bc299a9d90893d3843cd3ec21f217cb40e/apisix/core/schema.lua
Using it will cause an error `/usr/local/openresty//luajit/bin/luajit:
./apisix/core/lrucache.lua:22: module '\''resty.lrucache'\'' not found`:
<img width="2540" height="952" alt="image"
src="https://github.com/user-attachments/assets/b0305b95-6018-4e12-94c6-39f5faa2b59e";
/>
<img width="1275" height="702" alt="image"
src="https://github.com/user-attachments/assets/08e36692-4521-4359-970f-76391a5d7f2c";
/>
##########
apisix/init.lua:
##########
@@ -599,6 +587,54 @@ function _M.handle_upstream(api_ctx, route,
enable_websocket)
end
+local function handle_x_forwarded_headers(api_ctx)
+ local addr_is_trusted =
trusted_addresses_util.is_trusted(api_ctx.var.realip_remote_addr)
+
+ if not addr_is_trusted then
+ -- store the original x-forwarded-* headers
+ -- to allow future use by other plugins or processes
+ api_ctx.var.original_x_forwarded_proto =
api_ctx.var.http_x_forwarded_proto
+ api_ctx.var.original_x_forwarded_host =
api_ctx.var.http_x_forwarded_host
+ api_ctx.var.original_x_forwarded_port =
api_ctx.var.http_x_forwarded_port
+ api_ctx.var.original_x_forwarded_for = api_ctx.var.http_x_forwarded_for
+
+ local proto = api_ctx.var.scheme
+ local host = api_ctx.var.host
+ local port = api_ctx.var.server_port
+
+ api_ctx.var.http_x_forwarded_proto = proto
+ api_ctx.var.http_x_forwarded_host = host
+ api_ctx.var.http_x_forwarded_port = port
+ api_ctx.var.http_x_forwarded_for = nil
+
+ -- override the x-forwarded-* headers to the trusted ones
+ core.request.set_header(api_ctx, "X-Forwarded-Proto", proto)
+ core.request.set_header(api_ctx, "X-Forwarded-Host", host)
+ core.request.set_header(api_ctx, "X-Forwarded-Port", port)
+ -- later processed in ngx_tpl by `$proxy_add_x_forwarded_for`
+ core.request.set_header(api_ctx, "X-Forwarded-For", nil)
+ end
+end
+
+
+local function update_var_x_forwarded_headers(api_ctx)
Review Comment:
done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
