diff --git a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php index bcd9550..0ef1e36 100644 --- a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php +++ b/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php @@ -15,11 +15,17 @@ if (!$nginx_has_http2 && $server->nginx_has_http2) { $nginx_has_http2 = $server->nginx_has_http2; } +$nginx_has_realip = drush_get_option('nginx_has_realip'); +if (!$nginx_has_realip && $server->nginx_has_realip) { + $nginx_has_realip = $server->nginx_has_realip; +} + +$ssl_args = "ssl"; if ($nginx_has_http2) { - $ssl_args = "ssl http2"; + $ssl_args .= " http2"; } -else { - $ssl_args = "ssl"; +if ($http_ssl_proxy_type == Provision_Service_http_public::HOSTING_SERVER_PROXY_PROXYPROTOCOL) { + $ssl_args .= " proxy_protocol"; } if ($satellite_mode == 'boa') { @@ -35,11 +41,19 @@ server { listen ; + + real_ip_header X-Forwarded-For; + + real_ip_header proxy_protocol; + server_name _; location / { root /var/www/nginx-default; index index.html index.htm; + Provision_Service_http_public::HOSTING_SERVER_PROXY_NONE): ?> + return 204; + access_log off; return 404; diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php index ccef30c..3ef910c 100644 --- a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php +++ b/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php @@ -12,13 +12,16 @@ if (!$nginx_has_http2 && $server->nginx_has_http2) { $nginx_has_http2 = $server->nginx_has_http2; } +$nginx_has_realip = drush_get_option('nginx_has_realip'); +if (!$nginx_has_realip && $server->nginx_has_realip) { + $nginx_has_realip = $server->nginx_has_realip; +} + $aegir_root = d('@server_master')->aegir_root; +$ssl_args = "ssl"; if ($nginx_has_http2) { - $ssl_args = "ssl http2"; -} -else { - $ssl_args = "ssl"; + $ssl_args .= " http2"; } if ($satellite_mode == 'boa') { @@ -47,6 +50,11 @@ server { } ?> ssl on; + + real_ip_header X-Forwarded-For; + + real_ip_header proxy_protocol; + ssl_stapling on; ssl_stapling_verify on; @@ -133,6 +141,11 @@ server { } ?>; root root}"; ?>; ssl on; + + real_ip_header X-Forwarded-For; + + real_ip_header proxy_protocol; + ssl_stapling on; ssl_stapling_verify on; diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php index b8311b6..23c9728 100644 --- a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php +++ b/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php @@ -12,11 +12,14 @@ if (!$nginx_has_http2 && $server->nginx_has_http2) { $nginx_has_http2 = $server->nginx_has_http2; } -if ($nginx_has_http2) { - $ssl_args = "ssl http2"; +$nginx_has_realip = drush_get_option('nginx_has_realip'); +if (!$nginx_has_realip && $server->nginx_has_realip) { + $nginx_has_realip = $server->nginx_has_realip; } -else { - $ssl_args = "ssl"; + +$ssl_args = "ssl"; +if ($nginx_has_http2) { + $ssl_args .= " http2"; } if ($satellite_mode == 'boa') { @@ -38,6 +41,11 @@ server { return 302 platform->server->web_disable_url . '/' . $this->uri ?>; ssl on; +http_ssl_proxy_type == Provision_Service_http_public::HOSTING_SERVER_PROXY_XFORWARDEDFOR): ?> + real_ip_header X-Forwarded-For; +http_ssl_proxy_type == Provision_Service_http_public::HOSTING_SERVER_PROXY_PROXYPROTOCOL): ?> + real_ip_header proxy_protocol; + ssl_stapling on; ssl_stapling_verify on; diff --git a/http/Provision/Config/Nginx/server.tpl.php b/http/Provision/Config/Nginx/server.tpl.php index ec17484..d35d5cc 100644 --- a/http/Provision/Config/Nginx/server.tpl.php +++ b/http/Provision/Config/Nginx/server.tpl.php @@ -35,14 +35,19 @@ if (!$nginx_has_etag && $server->nginx_has_etag) { $nginx_has_etag = $server->nginx_has_etag; } +$nginx_has_gzip = drush_get_option('nginx_has_gzip'); +if (!$nginx_has_gzip && $server->nginx_has_gzip) { + $nginx_has_gzip = $server->nginx_has_gzip; +} + $nginx_has_http2 = drush_get_option('nginx_has_http2'); if (!$nginx_has_http2 && $server->nginx_has_http2) { $nginx_has_http2 = $server->nginx_has_http2; } -$nginx_has_gzip = drush_get_option('nginx_has_gzip'); -if (!$nginx_has_gzip && $server->nginx_has_gzip) { - $nginx_has_gzip = $server->nginx_has_gzip; +$nginx_has_realip = drush_get_option('nginx_has_realip'); +if (!$nginx_has_realip && $server->nginx_has_realip) { + $nginx_has_realip = $server->nginx_has_realip; } $nginx_has_upload_progress = drush_get_option('nginx_has_upload_progress'); @@ -292,12 +297,25 @@ map $args $is_denied { } + +real_ip_header X-Forwarded-For; + +real_ip_header proxy_protocol; + + +set_real_ip_from ; + + ####################################################### ### nginx default server ####################################################### server { - listen *:; + + listen *: proxy_protocol; + + listen *:; + server_name _; location / { @@ -308,6 +326,9 @@ server { add_header X-XSS-Protection "1; mode=block"; root /var/www/nginx-default; index index.html index.htm; + Provision_Service_http_public::HOSTING_SERVER_PROXY_NONE): ?> + return 204; + access_log off; return 404; diff --git a/http/Provision/Service/http/nginx.php b/http/Provision/Service/http/nginx.php index 0711850..35b7e8c 100644 --- a/http/Provision/Service/http/nginx.php +++ b/http/Provision/Service/http/nginx.php @@ -25,13 +25,19 @@ class Provision_Service_http_nginx extends Provision_Service_http_public { $this->server->setProperty('nginx_config_mode', 'extended'); $this->server->setProperty('nginx_is_modern', FALSE); $this->server->setProperty('nginx_has_etag', FALSE); - $this->server->setProperty('nginx_has_http2', FALSE); $this->server->setProperty('nginx_has_gzip', FALSE); + $this->server->setProperty('nginx_has_http2', FALSE); + $this->server->setProperty('nginx_has_realip', FALSE); $this->server->setProperty('nginx_has_upload_progress', FALSE); $this->server->setProperty('provision_db_cloaking', TRUE); $this->server->setProperty('phpfpm_mode', 'port'); $this->server->setProperty('subdirs_support', FALSE); $this->server->setProperty('satellite_mode', 'vanilla'); + + // Reverse proxy config + $this->server->setProperty('http_proxy_type', self::HOSTING_SERVER_PROXY_NONE); + $this->server->setProperty('http_real_ip_from', ''); + if (provision_hosting_feature_enabled('subdirs')) { $this->server->subdirs_support = TRUE; $this->configs['site'][] = 'Provision_Config_Nginx_Subdir'; @@ -62,9 +68,10 @@ class Provision_Service_http_nginx extends Provision_Service_http_public { $this->server->shell_exec($path . ' -V'); $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_etag = preg_match("/nginx\/1\.([12][0-9]|[3]\.([12][0-9]|[3-9]))/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_realip = preg_match("/http_realip_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match); - $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); // Use basic nginx configuration if this control file exists. $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf"; @@ -118,9 +125,10 @@ class Provision_Service_http_nginx extends Provision_Service_http_public { $this->server->shell_exec($path . ' -V'); $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_etag = preg_match("/nginx\/1\.([12][0-9]|[3]\.([12][0-9]|[3-9]))/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_realip = preg_match("/http_realip_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match); - $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); // Use basic nginx configuration if this control file exists. $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf"; diff --git a/http/Provision/Service/http/nginx/ssl.php b/http/Provision/Service/http/nginx/ssl.php index 23c0646..95296d8 100644 --- a/http/Provision/Service/http/nginx/ssl.php +++ b/http/Provision/Service/http/nginx/ssl.php @@ -40,12 +40,18 @@ class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl { $this->server->setProperty('nginx_config_mode', 'extended'); $this->server->setProperty('nginx_is_modern', FALSE); $this->server->setProperty('nginx_has_etag', FALSE); - $this->server->setProperty('nginx_has_http2', FALSE); $this->server->setProperty('nginx_has_gzip', FALSE); + $this->server->setProperty('nginx_has_http2', FALSE); + $this->server->setProperty('nginx_has_realip', FALSE); $this->server->setProperty('nginx_has_upload_progress', FALSE); $this->server->setProperty('provision_db_cloaking', TRUE); $this->server->setProperty('phpfpm_mode', 'port'); $this->server->setProperty('satellite_mode', 'vanilla'); + + // Reverse proxy config + $this->server->setProperty('http_proxy_type', self::HOSTING_SERVER_PROXY_NONE); + $this->server->setProperty('http_ssl_proxy_type', self::HOSTING_SERVER_PROXY_NONE); + $this->server->setProperty('http_real_ip_from', ''); } function save_server() { @@ -66,9 +72,10 @@ class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl { $this->server->shell_exec($path . ' -V'); $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_etag = preg_match("/nginx\/1\.([12][0-9]|[3]\.([12][0-9]|[3-9]))/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_realip = preg_match("/http_realip_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match); - $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); // Use basic nginx configuration if this control file exists. $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf"; @@ -113,9 +120,10 @@ class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl { $this->server->shell_exec($path . ' -V'); $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_etag = preg_match("/nginx\/1\.([12][0-9]|[3]\.([12][0-9]|[3-9]))/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match); + $this->server->nginx_has_realip = preg_match("/http_realip_module/", implode('', drush_shell_exec_output()), $match); $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match); - $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match); // Use basic nginx configuration if this control file exists. $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf"; diff --git a/http/Provision/Service/http/public.php b/http/Provision/Service/http/public.php index d35a361..79e3b1f 100644 --- a/http/Provision/Service/http/public.php +++ b/http/Provision/Service/http/public.php @@ -2,6 +2,21 @@ // Public http service , as in non-encrypted and listening on a port. class Provision_Service_http_public extends Provision_Service_http { + /** + * This server is not behind a proxy + */ + const HOSTING_SERVER_PROXY_NONE = 0; + + /** + * This server is behind a proxy using the X-Forwarded-For header + */ + const HOSTING_SERVER_PROXY_XFORWARDEDFOR = 1; + + /** + * This server is behind a proxy using the PROXY protocol + */ + const HOSTING_SERVER_PROXY_PROXYPROTOCOL = 2; + protected $has_port = TRUE; function default_port() { @@ -19,6 +34,8 @@ class Provision_Service_http_public extends Provision_Service_http { } $data['http_port'] = $this->server->http_port; + $data['http_proxy_type'] = $this->server->http_proxy_type; + $data['http_real_ip_from'] = $this->server->http_real_ip_from; // TODO: move away from drush_get_context entirely. if ($config == 'site') { diff --git a/http/Provision/Service/http/ssl.php b/http/Provision/Service/http/ssl.php index 581c04d..85a9f14 100644 --- a/http/Provision/Service/http/ssl.php +++ b/http/Provision/Service/http/ssl.php @@ -47,6 +47,7 @@ class Provision_Service_http_ssl extends Provision_Service_http_public { function config_data($config = NULL, $class = NULL) { $data = parent::config_data($config, $class); $data['http_ssl_port'] = $this->server->http_ssl_port; + $data['http_ssl_proxy_type'] = $this->server->http_ssl_proxy_type; if ($config == 'server') { // Generate a certificate for the default SSL vhost, and retrieve the