add proxy_protocol to server configuration

nginxinc · Jul 24, 2024 · 58e4b21 · 58e4b21
1 parent 2f627ce
commit 58e4b21
Show file tree

Hide file tree

Showing 12 changed files with 115 additions and 9 deletions.
diff --git a/apis/v1alpha1/nginxproxy_types.go b/apis/v1alpha1/nginxproxy_types.go
@@ -58,6 +58,12 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+
+	// EnableProxyProtocol defines if the Proxy Protocol should be enabled for all servers.
+	// Default is false, meaning the Proxy Protocol will be disabled.
+	//
+	// +optional
+	EnableProxyProtocol bool `json:"enableProxyProtocol,omitempty"`
 }
 
 // Telemetry specifies the OpenTelemetry configuration.

diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml
@@ -93,6 +93,7 @@ nginx:
     {}
     # disableHTTP2: false
     # ipFamily: dual
+    # enableProxyProtocol: true
     # telemetry:
     #   exporter:
     #     endpoint: otel-collector.default.svc:4317

diff --git a/config/crd/bases/gateway.nginx.org_nginxproxies.yaml b/config/crd/bases/gateway.nginx.org_nginxproxies.yaml
@@ -52,6 +52,11 @@ spec:
                   DisableHTTP2 defines if http2 should be disabled for all servers.
                   Default is false, meaning http2 will be enabled for all servers.
                 type: boolean
+              enableProxyProtocol:
+                description: |-
+                  EnableProxyProtocol defines if the Proxy Protocol should be enabled for all servers.
+                  Default is false, meaning the Proxy Protocol will be disabled.
+                type: boolean
               ipFamily:
                 default: dual
                 description: |-

diff --git a/deploy/crds.yaml b/deploy/crds.yaml
@@ -697,6 +697,11 @@ spec:
                   DisableHTTP2 defines if http2 should be disabled for all servers.
                   Default is false, meaning http2 will be enabled for all servers.
                 type: boolean
+              enableProxyProtocol:
+                description: |-
+                  EnableProxyProtocol defines if the Proxy Protocol should be enabled for all servers.
+                  Default is false, meaning the Proxy Protocol will be disabled.
+                type: boolean
               ipFamily:
                 default: dual
                 description: |-

diff --git a/internal/mode/static/nginx/config/http/config.go b/internal/mode/static/nginx/config/http/config.go
@@ -115,6 +115,7 @@ type ProxySSLVerify struct {
 
 // ServerConfig holds configuration for an HTTP server and IP family to be used by NGINX.
 type ServerConfig struct {
-	Servers  []Server
-	IPFamily IPFamily
+	Servers       []Server
+	IPFamily      IPFamily
+	ProxyProtocol bool
 }
diff --git a/internal/mode/static/nginx/config/servers.go b/internal/mode/static/nginx/config/servers.go
@@ -61,8 +61,9 @@ func executeServers(conf dataplane.Configuration) []executeResult {
 	servers, httpMatchPairs := createServers(conf.HTTPServers, conf.SSLServers)
 
 	serverConfig := http.ServerConfig{
-		Servers:  servers,
-		IPFamily: getIPFamily(conf.BaseHTTPConfig),
+		Servers:       servers,
+		IPFamily:      getIPFamily(conf.BaseHTTPConfig),
+		ProxyProtocol: conf.BaseHTTPConfig.ProxyProtocol,
 	}
 
 	serverResult := executeResult{

diff --git a/internal/mode/static/nginx/config/servers_template.go b/internal/mode/static/nginx/config/servers_template.go
@@ -28,12 +28,13 @@ server {
 }
     {{- else }}
 server {
+        {{ $proxyProtocol := "" }}{{ if $.ProxyProtocol }}{{ $proxyProtocol = " proxy_protocol" }}{{ end }}
         {{- if $s.SSL }}
           {{- if $.IPFamily.IPv4 }}
-    listen {{ $s.Port }} ssl;
+    listen {{ $s.Port }} ssl{{ $proxyProtocol }};
           {{- end }}
           {{- if $.IPFamily.IPv6 }}
-    listen [::]:{{ $s.Port }} ssl;
+    listen [::]:{{ $s.Port }} ssl{{ $proxyProtocol }};
           {{- end }}
     ssl_certificate {{ $s.SSL.Certificate }};
     ssl_certificate_key {{ $s.SSL.CertificateKey }};
@@ -43,10 +44,10 @@ server {
     }
         {{- else }}
           {{- if $.IPFamily.IPv4 }}
-    listen {{ $s.Port }};
+    listen {{ $s.Port }}{{ $proxyProtocol }};
           {{- end }}
           {{- if $.IPFamily.IPv6 }}
-    listen [::]:{{ $s.Port }};
+    listen [::]:{{ $s.Port }}{{ $proxyProtocol }};
           {{- end }}
         {{- end }}
 

diff --git a/internal/mode/static/nginx/config/servers_test.go b/internal/mode/static/nginx/config/servers_test.go
@@ -137,7 +137,7 @@ func TestExecuteServers(t *testing.T) {
 	}
 }
 
-func TestExecuteServersForIPFamily(t *testing.T) {
+func TestExecuteServerConfig(t *testing.T) {
 	httpServers := []dataplane.VirtualServer{
 		{
 			IsDefault: true,
@@ -230,6 +230,30 @@ func TestExecuteServersForIPFamily(t *testing.T) {
 				"listen [::]:8443 ssl;":                                    1,
 			},
 		},
+		{
+			msg: "http and ssl servers with proxy protocol enabled",
+			config: dataplane.Configuration{
+				HTTPServers: httpServers,
+				SSLServers:  sslServers,
+				BaseHTTPConfig: dataplane.BaseHTTPConfig{
+					ProxyProtocol: true,
+				},
+			},
+			expectedHTTPConfig: map[string]int{
+				"listen 8080 default_server;":                              1,
+				"listen 8080 proxy_protocol;":                              1,
+				"listen 8443 ssl default_server;":                          1,
+				"listen 8443 ssl proxy_protocol;":                          1,
+				"server_name example.com;":                                 2,
+				"ssl_certificate /etc/nginx/secrets/test-keypair.pem;":     1,
+				"ssl_certificate_key /etc/nginx/secrets/test-keypair.pem;": 1,
+				"ssl_reject_handshake on;":                                 1,
+				"listen [::]:8080 default_server;":                         1,
+				"listen [::]:8080 proxy_protocol;":                         1,
+				"listen [::]:8443 ssl default_server;":                     1,
+				"listen [::]:8443 ssl proxy_protocol;":                     1,
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/internal/mode/static/state/dataplane/configuration.go b/internal/mode/static/state/dataplane/configuration.go
@@ -678,6 +678,8 @@ func buildBaseHTTPConfig(g *graph.Graph) BaseHTTPConfig {
 		// HTTP2 should be enabled by default
 		HTTP2:    true,
 		IPFamily: Dual,
+		// EnableProxyProtocol should be disabled by default
+		ProxyProtocol: false,
 	}
 	if g.NginxProxy == nil || !g.NginxProxy.Valid {
 		return baseConfig
@@ -696,6 +698,10 @@ func buildBaseHTTPConfig(g *graph.Graph) BaseHTTPConfig {
 		}
 	}
 
+	if g.NginxProxy.Source.Spec.EnableProxyProtocol {
+		baseConfig.ProxyProtocol = true
+	}
+
 	return baseConfig
 }
 

diff --git a/internal/mode/static/state/dataplane/configuration_test.go b/internal/mode/static/state/dataplane/configuration_test.go
@@ -2089,6 +2089,34 @@ func TestBuildConfiguration(t *testing.T) {
 			}),
 			msg: "NginxProxy with IPv6 IPFamily and no routes",
 		},
+		{
+			graph: getModifiedGraph(func(g *graph.Graph) *graph.Graph {
+				g.Gateway.Source.ObjectMeta = metav1.ObjectMeta{
+					Name:      "gw",
+					Namespace: "ns",
+				}
+				g.Gateway.Listeners = append(g.Gateway.Listeners, &graph.Listener{
+					Name:   "listener-80-1",
+					Source: listener80,
+					Valid:  true,
+					Routes: map[graph.RouteKey]*graph.L7Route{},
+				})
+				g.NginxProxy = &graph.NginxProxy{
+					Valid: true,
+					Source: &ngfAPI.NginxProxy{
+						Spec: ngfAPI.NginxProxySpec{EnableProxyProtocol: true},
+					},
+				}
+				return g
+			}),
+			expConf: getModifiedExpectedConfiguration(func(conf Configuration) Configuration {
+				conf.SSLServers = []VirtualServer{}
+				conf.SSLKeyPairs = map[SSLKeyPairID]SSLKeyPair{}
+				conf.BaseHTTPConfig = BaseHTTPConfig{HTTP2: true, IPFamily: Dual, ProxyProtocol: true}
+				return conf
+			}),
+			msg: "NginxProxy with proxy protocol enabled",
+		},
 	}
 
 	for _, test := range tests {

diff --git a/internal/mode/static/state/dataplane/types.go b/internal/mode/static/state/dataplane/types.go
@@ -300,6 +300,8 @@ type BaseHTTPConfig struct {
 	IPFamily IPFamilyType
 	// HTTP2 specifies whether http2 should be enabled for all servers.
 	HTTP2 bool
+	// ProxyProtocol specifies whether the Proxy Protocol should be enabled for all servers.
+	ProxyProtocol bool
 }
 
 // IPFamilyType specifies the IP family to be used by NGINX.

diff --git a/site/content/reference/api.md b/site/content/reference/api.md
@@ -339,6 +339,19 @@ bool
 Default is false, meaning http2 will be enabled for all servers.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>enableProxyProtocol</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>EnableProxyProtocol defines if the Proxy Protocol should be enabled for all servers.
+Default is false, meaning the Proxy Protocol will be disabled.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -961,6 +974,19 @@ bool
 Default is false, meaning http2 will be enabled for all servers.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>enableProxyProtocol</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>EnableProxyProtocol defines if the Proxy Protocol should be enabled for all servers.
+Default is false, meaning the Proxy Protocol will be disabled.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="gateway.nginx.org/v1alpha1.ObservabilityPolicySpec">ObservabilityPolicySpec