This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 01a5b80 feature: Add support for PROXY Protocol. (#1113)
01a5b80 is described below
commit 01a5b807b58c889070cc63ccab94c4288b4217b8
Author: agile6v <agil...@agile6v.com>
AuthorDate: Wed Feb 12 10:53:20 2020 +0800
feature: Add support for PROXY Protocol. (#1113)
---
README.md | 1 +
README_CN.md | 1 +
bin/apisix | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
conf/config.yaml | 18 ++++++++++++++----
4 files changed, 65 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 85a5096..6252827 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ A/B testing, canary release, blue-green deployment, limit
rate, defense against
- [gRPC proxy](doc/grpc-proxy.md): Proxying gRPC traffic.
- [gRPC transcoding](doc/plugins/grpc-transcoding.md): Supports protocol
transcoding so that clients can access your gRPC API by using HTTP/JSON.
- Proxy Websocket
+ - Proxy Protocol
- Proxy Dubbo: Dubbo Proxy based on Tengine.
- HTTP(S) Forward Proxy
- [SSL](doc/https.md): Dynamically load an SSL certificate.
diff --git a/README_CN.md b/README_CN.md
index b76a5b9..201a41f 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -58,6 +58,7 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵
- [gRPC 代理](doc/grpc-proxy-cn.md):通过 APISIX 代理 gRPC 连接,并使用 APISIX
的大部分特性管理你的 gRPC 服务。
- [gRPC 协议转换](doc/plugins/grpc-transcoding-cn.md):支持协议的转换,这样客户端可以通过
HTTP/JSON 来访问你的 gRPC API。
- Websocket 代理
+ - Proxy Protocol
- Dubbo 代理:基于 Tengine,可以实现 Dubbo 请求的代理。
- HTTP(S) 反向代理
- [SSL](doc/https-cn.md):动态加载 SSL 证书。
diff --git a/bin/apisix b/bin/apisix
index db8e97b..d91e163 100755
--- a/bin/apisix
+++ b/bin/apisix
@@ -130,12 +130,16 @@ stream {
server {
{% for _, port in ipairs(stream_proxy.tcp or {}) do %}
- listen {*port*} {% if enable_reuseport then %} reuseport {% end %};
+ listen {*port*} {% if enable_reuseport then %} reuseport {% end %} {%
if proxy_protocol and proxy_protocol.enable_tcp_pp then %} proxy_protocol {%
end %};
{% end %}
{% for _, port in ipairs(stream_proxy.udp or {}) do %}
listen {*port*} udp {% if enable_reuseport then %} reuseport {% end %};
{% end %}
+ {% if proxy_protocol and proxy_protocol.enable_tcp_pp_to_upstream then
%}
+ proxy_protocol on;
+ {% end %}
+
preread_by_lua_block {
apisix.stream_preread_phase()
}
@@ -202,10 +206,23 @@ http {
include mime.types;
+ {% if real_ip_header then %}
real_ip_header {* real_ip_header *};
+ {% print("\nDeprecated: apisix.real_ip_header has been moved to
nginx_config.http.real_ip_header. apisix.real_ip_header will be removed in the
future version. Please use nginx_config.http.real_ip_header first.\n\n") %}
+ {% elseif http.real_ip_header then %}
+ real_ip_header {* http.real_ip_header *};
+ {% end %}
+
+ {% if real_ip_from then %}
+ {% print("\nDeprecated: apisix.real_ip_from has been moved to
nginx_config.http.real_ip_from. apisix.real_ip_from will be removed in the
future version. Please use nginx_config.http.real_ip_from first.\n\n") %}
{% for _, real_ip in ipairs(real_ip_from) do %}
set_real_ip_from {*real_ip*};
{% end %}
+ {% elseif http.real_ip_from then %}
+ {% for _, real_ip in ipairs(http.real_ip_from) do %}
+ set_real_ip_from {*real_ip*};
+ {% end %}
+ {% end %}
upstream apisix_backend {
server 0.0.0.1;
@@ -268,6 +285,13 @@ http {
listen {* ssl.listen_port *} ssl {% if ssl.enable_http2 then %} http2
{% end %} {% if enable_reuseport then %} reuseport {% end %};
{% end %}
+ {% if proxy_protocol and proxy_protocol.listen_http_port then %}
+ listen {* proxy_protocol.listen_http_port *} proxy_protocol;
+ {% end %}
+ {% if proxy_protocol and proxy_protocol.listen_https_port then %}
+ listen {* proxy_protocol.listen_https_port *} ssl {% if
ssl.enable_http2 then %} http2 {% end %} proxy_protocol;
+ {% end %}
+
{% if enable_ipv6 then %}
listen [::]:{* node_listen *} {% if enable_reuseport then %} reuseport
{% end %};
{% if ssl.enable then %}
@@ -342,6 +366,30 @@ http {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_header Server;
proxy_pass_header Date;
+
+ set $var_x_forwarded_for $remote_addr;
+ set $var_x_forwarded_proto $scheme;
+ set $var_x_forwarded_host $host;
+ set $var_x_forwarded_port $server_port;
+
+ if ($http_x_forwarded_for != "") {
+ set $var_x_forwarded_for "${http_x_forwarded_for},
${realip_remote_addr}";
+ }
+ if ($http_x_forwarded_proto != "") {
+ set $var_x_forwarded_proto $http_x_forwarded_proto;
+ }
+ if ($http_x_forwarded_host != "") {
+ set $var_x_forwarded_host $http_x_forwarded_host;
+ }
+ if ($http_x_forwarded_port != "") {
+ set $var_x_forwarded_port $http_x_forwarded_port;
+ }
+
+ proxy_set_header X-Forwarded-For $var_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $var_x_forwarded_proto;
+ proxy_set_header X-Forwarded-Host $var_x_forwarded_host;
+ proxy_set_header X-Forwarded-Port $var_x_forwarded_port;
+
proxy_pass $upstream_scheme://apisix_backend$upstream_uri;
header_filter_by_lua_block {
diff --git a/conf/config.yaml b/conf/config.yaml
index 0e24d5c..9e098d9 100644
--- a/conf/config.yaml
+++ b/conf/config.yaml
@@ -25,14 +25,20 @@ apisix:
enable_ipv6: true
config_center: etcd # etcd: use etcd to store the config value
# yaml: fetch the config value from local
yaml file `/your_path/conf/apisix.yaml`
+
+ #proxy_protocol: # Proxy Protocol configuration
+ # listen_http_port: 9181 # The port with proxy protocol for http, it
differs from node_listen and port_admin.
+ # This port can only receive http request
with proxy protocol, but node_listen & port_admin
+ # can only receive http request. If you
enable proxy protocol, you must use this port to
+ # receive http request with proxy protocol
+ # listen_https_port: 9182 # The port with proxy protocol for https
+ # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy,
it works for stream_proxy.tcp option
+ # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the
upstream server
+
# allow_admin: #
http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
# - 127.0.0.0/24 # If we don't set any IP list, then any IP
access is allowed by default.
# - "::/64"
# port_admin: 9180 # use a separate port
- real_ip_header: "X-Real-IP" #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
- real_ip_from: #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- - 127.0.0.1
- - 'unix:'
router:
http: 'radixtree_uri' # radixtree_uri: match route by uri(base on
radixtree)
# radixtree_host_uri: match route by host +
uri(base on radixtree)
@@ -70,6 +76,10 @@ nginx_config: # config for render the
template to genarate n
client_body_timeout: 60s # timeout for reading client request body,
then 408 (Request Time-out) error is returned to the client
send_timeout: 10s # timeout for transmitting a response to
the client.then the connection is closed
underscores_in_headers: "on" # default enables the use of underscores in
client request header fields
+ real_ip_header: "X-Real-IP" #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
+ real_ip_from: #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
+ - 127.0.0.1
+ - 'unix:'
etcd:
host: "http://127.0.0.1:2379"; # etcd address
