Make it possible to inject port to SSL and Varnihs proxy

In order to get symfony to use the right docker port: - make it possible to pass it from parent to Varnihs VCL in a trusted way - make it possible to dynamicaly inject port to ssl proxy image (using pear module in this case)
ezsystems · Jan 29, 2018 · 78904a4 · 78904a4
1 parent c524861
commit 78904a4
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 7 deletions.
diff --git a/doc/docker/Dockerfile-nginx-ssl-proxy b/doc/docker/Dockerfile-nginx-ssl-proxy
@@ -1,4 +1,4 @@
-FROM nginx:stable
+FROM nginx:stable-perl
 # Based on: https://github.com/clamorisse/nginx-ssl-container
 
 RUN mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

diff --git a/doc/docker/entrypoint/ssl-proxy/nginx.conf b/doc/docker/entrypoint/ssl-proxy/nginx.conf
@@ -4,6 +4,10 @@ worker_processes  1;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
+load_module /etc/nginx/modules/ngx_http_perl_module.so;
+
+# To pass in the public facing forward port we want to set
+env X_FORWARD_PORT;
 
 events {
     worker_connections  1024;
@@ -17,6 +21,9 @@ http {
     tcp_nodelay         on;
     keepalive_timeout   15;
 
+    # Get SSL port to use from X_FORWARD_PORT env variable, or fallback to 443
+    perl_set $x_forward_port 'sub { return $ENV{"X_FORWARD_PORT"} || 443; }';
+
     server {
         listen 443 ssl http2;
 
@@ -36,7 +43,7 @@ http {
             proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header X-Forwarded-Host  $host;
-            proxy_set_header X-Forwarded-Port  443;
+            proxy_set_header X-Forwarded-Port  $x_forward_port;
             proxy_set_header Host              $host;
 
             proxy_pass http://varnish:80;

diff --git a/doc/docker/entrypoint/varnish/parameters.vcl b/doc/docker/entrypoint/varnish/parameters.vcl
@@ -16,3 +16,8 @@ acl debuggers {
     "127.0.0.1";
     "172.16.0.0"/20;
 }
+
+// ACL for trusted proxies IP
+acl proxies {
+    "ssl";
+}
diff --git a/doc/docker/varnish.yml b/doc/docker/varnish.yml
@@ -35,6 +35,8 @@ services:
       dockerfile: Dockerfile-nginx-ssl-proxy
     ports:
      - "8443:443"
+    environment:
+     - X_FORWARD_PORT=8443
     depends_on:
      - varnish
     networks:

diff --git a/doc/varnish/vcl/parameters.vcl b/doc/varnish/vcl/parameters.vcl
@@ -19,3 +19,8 @@ acl debuggers {
     "127.0.0.1";
     "192.168.0.0"/16;
 }
+
+// ACL for trusted proxies IP
+acl proxies {
+    "127.0.0.1";
+}
diff --git a/doc/varnish/vcl/varnish4_xkey.vcl b/doc/varnish/vcl/varnish4_xkey.vcl
@@ -30,11 +30,13 @@ sub vcl_recv {
     // To be removed in Symfony 3.3
     unset req.http.Forwarded;
 
-    // Ensure that the Symfony Router generates URLs correctly with Varnish
-    if (req.http.X-Forwarded-Proto == "https" ) {
-        set req.http.X-Forwarded-Port = "443";
-    } else {
-        set req.http.X-Forwarded-Port = "80";
+    // Ensure that the Symfony Router generates URLs correctly with Varnish, if port is not set by trusted proxy already
+    if (! req.http.X-Forwarded-Port || ! client.ip ~ proxies) {
+        if (req.http.X-Forwarded-Proto == "https" ) {
+            set req.http.X-Forwarded-Port = "443";
+        } else {
+            set req.http.X-Forwarded-Port = "80";
+        }
     }
 
     // Trigger cache purge if needed