updates based on reviews

Author: salonichf5

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -95,8 +95,8 @@ spec:
                       If a request comes from a trusted address, NGINX will rewrite the client IP information,
                       and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
                       If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
-                      Addresses must be provided as CIDR blocks or IP address: 10.0.0.0, 192.33.21/24, fe80::1/128.
-                      To trust all addresses (not recommended), set to 0.0.0.0/0.
+                      Addresses must be provided as CIDR blocks or IP addresses: 10.0.0.0, 192.33.21/24, fe80::1/128.
+                      To trust all addresses (not recommended for production), set to 0.0.0.0/0.
                       If no addresses are provided, NGINX will not rewrite the client IP information.
                       Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.

deploy/crds.yaml

@@ -680,8 +680,8 @@ spec:
                       If a request comes from a trusted address, NGINX will rewrite the client IP information,
                       and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
                       If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
-                      Addresses must be provided as CIDR blocks or IP address: 10.0.0.0, 192.33.21/24, fe80::1/128.
-                      To trust all addresses (not recommended), set to 0.0.0.0/0.
+                      Addresses must be provided as CIDR blocks or IP addresses: 10.0.0.0, 192.33.21/24, fe80::1/128.
+                      To trust all addresses (not recommended for production), set to 0.0.0.0/0.
                       If no addresses are provided, NGINX will not rewrite the client IP information.
                       Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.

internal/mode/static/nginx/config/servers.go

@@ -830,23 +830,25 @@ func generateProxySetHeaders(filters *dataplane.HTTPFilters, grpc bool) []http.H
 }
 
 func setHeaderForHTTPSRedirect(filters *dataplane.HTTPFilters, headers []http.Header) {
-	if filters != nil {
-		if filters.RequestURLRewrite != nil && filters.RequestURLRewrite.Hostname != nil {
-			for i, header := range headers {
-				if header.Name == "Host" {
-					headers[i].Value = *filters.RequestURLRewrite.Hostname
-					break
-				}
+	if filters == nil {
+		return
+	}
+
+	if filters.RequestURLRewrite != nil && filters.RequestURLRewrite.Hostname != nil {
+		for i, header := range headers {
+			if header.Name == "Host" {
+				headers[i].Value = *filters.RequestURLRewrite.Hostname
+				break
 			}
 		}
-		if filters.RequestRedirect != nil &&
-			filters.RequestRedirect.Scheme != nil &&
-			*filters.RequestRedirect.Scheme == http.HTTPSScheme {
-			for i, header := range headers {
-				if header.Name == "X-Forwarded-Proto" {
-					headers[i].Value = http.HTTPSScheme
-					return
-				}
+	}
+	if filters.RequestRedirect != nil &&
+		filters.RequestRedirect.Scheme != nil &&
+		*filters.RequestRedirect.Scheme == http.HTTPSScheme {
+		for i, header := range headers {
+			if header.Name == "X-Forwarded-Proto" {
+				headers[i].Value = http.HTTPSScheme
+				return
 			}
 		}
 	}

internal/mode/static/nginx/config/servers_test.go

@@ -342,6 +342,7 @@ func TestExecuteServers_RewriteClientIP(t *testing.T) {
 				"listen [::]:8080 proxy_protocol;":                         1,
 				"listen [::]:8443 ssl default_server proxy_protocol;":      1,
 				"listen [::]:8443 ssl proxy_protocol;":                     1,
+				"real_ip_recursive on;":                                    0,
 			},
 		},
 		{

internal/mode/static/nginx/config/stream_servers.go

@@ -67,6 +67,7 @@ func createStreamServers(conf dataplane.Configuration) []stream.Server {
 
 		portSet[server.Port] = struct{}{}
 
+		// we do not evaluate rewriteClientIP settings for non-socket stream servers
 		streamServer := stream.Server{
 			Listen:     fmt.Sprint(server.Port),
 			StatusZone: server.Hostname,

internal/mode/static/state/dataplane/configuration.go

@@ -863,8 +863,8 @@ func buildBaseHTTPConfig(g *graph.Graph) BaseHTTPConfig {
 		}
 
 		if len(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses) > 0 {
-			trustedAddresses := convertTrustedAddresses(g)
-			baseConfig.RewriteClientIPSettings.TrustedAddresses = convertTrustedAddresses(g)
+			trustedAddresses := convertTrustedAddresses(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses)
+			baseConfig.RewriteClientIPSettings.TrustedAddresses = trustedAddresses
 		}
 
 		if g.NginxProxy.Source.Spec.RewriteClientIP.SetIPRecursively != nil {
@@ -893,9 +893,9 @@ func buildPolicies(graphPolicies []*graph.Policy) []policies.Policy {
 	return finalPolicies
 }
 
-func convertTrustedAddresses(g *graph.Graph) []string {
-	trustedAddresses := make([]string, len(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses))
-	for i, addr := range g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses {
+func convertTrustedAddresses(addresses []ngfAPI.TrustedAddress) []string {
+	trustedAddresses := make([]string, len(addresses))
+	for i, addr := range addresses {
 		trustedAddresses[i] = string(addr)
 	}
 	return trustedAddresses

site/content/how-to/monitoring/troubleshooting.md

@@ -465,7 +465,7 @@ If you check your _nginx_ container logs and see the following error:
 
 It indicates that `proxy_protocol` is enabled for the gateway listeners, but the request sent to the application endpoint does not contain proxy information. To **resolve** this, you can do one of the following:
 
-- Disable field [`rewriteClientIP.mode`](({{< relref "reference/api.md" >}})) in the NginxProxy configuration.
+- Unassign the field [`rewriteClientIP.mode`](({{< relref "reference/api.md" >}})) in the NginxProxy configuration.
 
 - Send valid proxy information with requests being handled by your application.
 

site/content/reference/api.md

@@ -1112,8 +1112,8 @@ Sets NGINX directive real_ip_recursive: <a href="https://nginx.org/en/docs/http/
 If a request comes from a trusted address, NGINX will rewrite the client IP information,
 and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
 If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
-Addresses must be provided as CIDR blocks or IP address: 10.0.0.0, 192.33.<sup>21</sup>&frasl;<sub>24</sub>, fe80::<sup>1</sup>&frasl;<sub>128</sub>.
-To trust all addresses (not recommended), set to 0.0.0.0/0.
+Addresses must be provided as CIDR blocks or IP addresses: 10.0.0.0, 192.33.<sup>21</sup>&frasl;<sub>24</sub>, fe80::<sup>1</sup>&frasl;<sub>128</sub>.
+To trust all addresses (not recommended for production), set to 0.0.0.0/0.
 If no addresses are provided, NGINX will not rewrite the client IP information.
 Sets NGINX directive set_real_ip_from: <a href="https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from">https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from</a>
 This field is required if mode is set.</p>
@@ -1141,7 +1141,7 @@ This field is required if mode is set.</p>
 <tbody><tr><td><p>&#34;ProxyProtocol&#34;</p></td>
 <td><p>RewriteClientIPModeProxyProtocol configures NGINX to accept PROXY protocol and
 set the client&rsquo;s IP address to the IP address in the PROXY protocol header.
-Sets the proxy_protocol parameter to the listen directive on all servers, and sets real_ip_header
+Sets the proxy_protocol parameter on the listen directive of all servers and sets real_ip_header
 to proxy_protocol: <a href="https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header">https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header</a>.</p>
 </td>
 </tr><tr><td><p>&#34;XForwardedFor&#34;</p></td>