From 82119c746ef3540c6c135e22e98c99916e0b0cd8 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 22 Feb 2021 18:55:10 +0100
Subject: [PATCH] [nginx] Define proper set_realip_from

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/nginx.yml                          |  3 +++
 .../nginx/sites-available/redirect.j2         | 20 +++++++++++++++++++
 .../nginx/sites-available/reverseproxy.j2     | 10 ++++++++--
 .../reverseproxy_redirect_dname.j2            | 10 ++++++++++
 .../nginx/sites-available/service.j2          | 20 +++++++++++++++++++
 5 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
index a75550cc..774fa0e1 100644
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@@ -26,4 +26,7 @@ glob_nginx:
   default_server:
   default_ssl_server:
   default_ssl_domain: crans.org
+  real_ip_from:
+    - "172.16.0.0/16"
+    - "2a0c:700:0:2::/64"
   deploy_robots_file: false
diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2
index 44cce798..d40a3a4b 100644
--- a/roles/nginx/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx/templates/nginx/sites-available/redirect.j2
@@ -8,6 +8,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -23,6 +28,11 @@ server {
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://{{ site.to }}$request_uri;
     }
@@ -42,6 +52,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -57,6 +72,11 @@ server {
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://{{ site.to }}$request_uri;
     }
diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
index dc8ae1b4..27013aab 100644
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
@@ -15,6 +15,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://$host$request_uri;
     }
@@ -43,8 +48,9 @@ server {
         root /var/www/html;
     }
 
-    set_real_ip_from 10.231.136.0/24;
-    set_real_ip_from 2a0c:700:0:2::/64;
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
     real_ip_header P-Real-Ip;
 
     location / {
diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index 0ca20f57..0b39022f 100644
--- a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -12,6 +12,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ to }}$request_uri;
     }
@@ -27,6 +32,11 @@ server {
     # SSL common conf
     include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://{{ to }}$request_uri;
     }
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
index b44a4d53..7c7244ab 100644
--- a/roles/nginx/templates/nginx/sites-available/service.j2
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -27,6 +27,11 @@ server {
     # Hide Nginx version
     server_tokens off;
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://{{ nginx.default_ssl_server }}$request_uri;
     }
@@ -45,6 +50,11 @@ server {
     # Hide Nginx version
     server_tokens off;
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ nginx.default_server }}$request_uri;
     }
@@ -64,6 +74,11 @@ server {
     # Hide Nginx version
     server_tokens off;
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://$host$request_uri;
     }
@@ -86,6 +101,11 @@ server {
     # Hide Nginx version
     server_tokens off;
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     {% if server.root is defined %}root {{ server.root }};{% endif %}
     {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
 
-- 
GitLab