Shiloh/frappe_docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #419 from Xaroth/nginx-pass-forwarded-proto

Browse Source 
Allow for configuring the realip module for nginx to pass the proper IP/Scheme to frappe
This commit is contained in:
Revant Nandgaonkar 2021-02-19 21:54:34 +05:30 committed by GitHub
commit 0dcf85db8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
build/common/nginx-default.conf.template
View File

@ -6,6 +6,12 @@ upstream socketio-server {
server ${FRAPPE_SOCKETIO}:${SOCKETIO_PORT} fail_timeout=0; server ${FRAPPE_SOCKETIO}:${SOCKETIO_PORT} fail_timeout=0;
} }
# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme.
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $scheme;
https https;
}
server { server {
listen 80; listen 80;
server_name $http_host; server_name $http_host;
@ -16,6 +22,12 @@ server {
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
# Define ${UPSTREAM_REAL_IP_ADDRESS} as our trusted upstream address, so we will be using
# its ${UPSTREAM_REAL_IP_HEADER} address as our remote address
set_real_ip_from ${UPSTREAM_REAL_IP_ADDRESS};
real_ip_header ${UPSTREAM_REAL_IP_HEADER};
real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE};
location /assets { location /assets {
try_files $uri =404; try_files $uri =404;
} }
@ -27,10 +39,12 @@ server {
location /socket.io { location /socket.io {
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_set_header X-Frappe-Site-Name $host; proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Origin $scheme://$http_host; proxy_set_header Origin $proxy_x_forwarded_proto://$http_host;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_pass http://socketio-server; proxy_pass http://socketio-server;
@ -50,8 +64,8 @@ server {
} }
location @webserver { location @webserver {
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Frappe-Site-Name $host; proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Use-X-Accel-Redirect True; proxy_set_header X-Use-X-Accel-Redirect True;

17
build/frappe-nginx/docker-entrypoint.sh
View File

@ -35,11 +35,26 @@ if [[ -z "$HTTP_TIMEOUT" ]]; then
export HTTP_TIMEOUT=120 export HTTP_TIMEOUT=120
fi fi
if [[ -z "$UPSTREAM_REAL_IP_ADDRESS" ]]; then
export UPSTREAM_REAL_IP_ADDRESS=127.0.0.1
fi
if [[ -z "$UPSTREAM_REAL_IP_RECURSIVE" ]]; then
export UPSTREAM_REAL_IP_RECURSIVE=off
fi
if [[ -z "$UPSTREAM_REAL_IP_HEADER" ]]; then
export UPSTREAM_REAL_IP_HEADER="X-Forwarded-For"
fi
envsubst '${FRAPPE_PY} envsubst '${FRAPPE_PY}
${FRAPPE_PY_PORT} ${FRAPPE_PY_PORT}
${FRAPPE_SOCKETIO} ${FRAPPE_SOCKETIO}
${SOCKETIO_PORT} ${SOCKETIO_PORT}
${HTTP_TIMEOUT}' \ ${HTTP_TIMEOUT}
${UPSTREAM_REAL_IP_ADDRESS}
${UPSTREAM_REAL_IP_RECURSIVE}
${UPSTREAM_REAL_IP_HEADER}' \
< /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf
echo "Waiting for frappe-python to be available on $FRAPPE_PY port $FRAPPE_PY_PORT" echo "Waiting for frappe-python to be available on $FRAPPE_PY port $FRAPPE_PY_PORT"

1
docs/docker-swarm.md
View File

@ -142,6 +142,7 @@ services:
erpnext-nginx: erpnext-nginx:
image: frappe/erpnext-nginx:${ERPNEXT_VERSION?Variable ERPNEXT_VERSION not set} image: frappe/erpnext-nginx:${ERPNEXT_VERSION?Variable ERPNEXT_VERSION not set}
environment: environment:
- UPSTREAM_REAL_IP_ADDRESS=10.0.0.0/8
- FRAPPE_PY=erpnext-python - FRAPPE_PY=erpnext-python
- FRAPPE_PY_PORT=8000 - FRAPPE_PY_PORT=8000
- FRAPPE_SOCKETIO=frappe-socketio - FRAPPE_SOCKETIO=frappe-socketio

3
docs/environment-variables.md
View File

@ -20,6 +20,9 @@ These variables are set on every container start. Change in these variables will
- `FRAPPE_SOCKETIO`: SocketIO host to reverse proxy. Default: 0.0.0.0 - `FRAPPE_SOCKETIO`: SocketIO host to reverse proxy. Default: 0.0.0.0
- `SOCKETIO_PORT`: SocketIO port to reverse proxy. Default: 9000 - `SOCKETIO_PORT`: SocketIO port to reverse proxy. Default: 9000
- `HTTP_TIMEOUT`: Nginx http timeout. Default: 120 - `HTTP_TIMEOUT`: Nginx http timeout. Default: 120
- `UPSTREAM_REAL_IP_ADDRESS `: The trusted address (or ip range) of upstream proxy servers. If set, this will tell nginx to trust the X-Forwarded-For header from these proxy servers in determining the real IP address of connecting clients. Default: 127.0.0.1
- `UPSTREAM_REAL_IP_RECURSIVE`: When set to `on`, this will tell nginx to not just look to the last upstream proxy server in determining the real IP address. Default: off
- `UPSTREAM_REAL_IP_HEADER`: Set this to the header name sent by your upstream proxy server to indicate the real IP of connecting clients. Default: X-Forwarded-For
### frappe-socketio ### frappe-socketio