feat: support setting real ip (#20)

spacewander · web-flow · commit c6d5fcf162f4 · 2021-08-11T08:17:40.000+08:00
diff --git a/lib/resty/apisix/client.lua b/lib/resty/apisix/client.lua
@@ -3,6 +3,7 @@ local base = require("resty.core.base")
 local get_request = base.get_request
 local C = ffi.C
 local NGX_ERROR = ngx.ERROR
+local NGX_OK = ngx.OK
 
 
 base.allows_subsystem("http")
@@ -11,8 +12,14 @@ base.allows_subsystem("http")
 ffi.cdef([[
 typedef intptr_t        ngx_int_t;
 typedef uintptr_t       off_t;
+typedef unsigned char   u_char;
+
 ngx_int_t
 ngx_http_apisix_client_set_max_body_size(ngx_http_request_t *r, off_t bytes);
+
+ngx_int_t
+ngx_http_apisix_set_real_ip(ngx_http_request_t *r, const u_char *text, size_t len,
+                            unsigned int port);
 ]])
 local _M = {}
 
@@ -28,4 +35,20 @@ function _M.set_client_max_body_size(bytes)
 end
 
 
+function _M.set_real_ip(ip, port)
+    -- APISIX will ensure the IP and port are valid
+    if not port then
+        port = 0
+    end
+
+    local r = get_request()
+    local rc = C.ngx_http_apisix_set_real_ip(r, ip, #ip, port)
+    if rc ~= NGX_OK then
+        return nil, "error while setting real ip, rc: " .. tonumber(rc)
+    end
+
+    return true
+end
+
+
 return _M
diff --git a/patch/1.19.3/nginx-real_ip.patch b/patch/1.19.3/nginx-real_ip.patch
@@ -0,0 +1,52 @@
+diff --git auto/modules auto/modules
+index f1c63f3..a71f9d7 100644
+--- auto/modules
++++ auto/modules
+@@ -578,7 +578,7 @@ if [ $HTTP = YES ]; then
+ 
+         ngx_module_name=ngx_http_realip_module
+         ngx_module_incs=
+-        ngx_module_deps=
++        ngx_module_deps=src/http/modules/ngx_http_realip_module.h
+         ngx_module_srcs=src/http/modules/ngx_http_realip_module.c
+         ngx_module_libs=
+         ngx_module_link=$HTTP_REALIP
+diff --git src/http/modules/ngx_http_realip_module.c src/http/modules/ngx_http_realip_module.c
+index 9586ebe..05a40ea 100644
+--- src/http/modules/ngx_http_realip_module.c
++++ src/http/modules/ngx_http_realip_module.c
+@@ -311,6 +311,15 @@ ngx_http_realip_cleanup(void *data)
+ }
+ 
+ 
++#if (NGX_HTTP_APISIX)
++ngx_int_t
++ngx_http_realip_set_real_addr(ngx_http_request_t *r, ngx_addr_t *addr)
++{
++    return ngx_http_realip_set_addr(r, addr);
++}
++#endif
++
++
+ static char *
+ ngx_http_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+ {
+diff --git src/http/modules/ngx_http_realip_module.h src/http/modules/ngx_http_realip_module.h
+new file mode 100644
+index 0000000..8593c4b
+--- /dev/null
++++ src/http/modules/ngx_http_realip_module.h
+@@ -0,0 +1,13 @@
++#ifndef _NGX_HTTP_REALIP_H_INCLUDED_
++#define _NGX_HTTP_REALIP_H_INCLUDED_
++
++
++#include <ngx_config.h>
++#include <ngx_core.h>
++#include <ngx_http.h>
++
++
++ngx_int_t ngx_http_realip_set_real_addr(ngx_http_request_t *r, ngx_addr_t *addr);
++
++
++#endif /* _NGX_HTTP_REALIP_H_INCLUDED_ */
diff --git a/src/ngx_http_apisix_module.c b/src/ngx_http_apisix_module.c
@@ -1,9 +1,17 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
+#include <ngx_http.h>
+#include <ngx_http_realip_module.h>
 #include "ngx_http_apisix_module.h"
 
 
+static ngx_str_t remote_addr = ngx_string("remote_addr");
+static ngx_str_t remote_port = ngx_string("remote_port");
+static ngx_str_t realip_remote_addr = ngx_string("realip_remote_addr");
+static ngx_str_t realip_remote_port = ngx_string("realip_remote_port");
+
+
 static void *ngx_http_apisix_create_loc_conf(ngx_conf_t *cf);
 static char *ngx_http_apisix_merge_loc_conf(ngx_conf_t *cf, void *parent,
     void *child);
@@ -409,3 +417,59 @@ ngx_http_apisix_set_gzip(ngx_http_request_t *r, ngx_int_t num, size_t size,
     ctx->gzip = gzip;
     return NGX_OK;
 }
+
+
+ngx_int_t
+ngx_http_apisix_flush_var(ngx_http_request_t *r, ngx_str_t *name)
+{
+    ngx_uint_t                  hash;
+    ngx_http_variable_t        *v;
+    ngx_http_variable_value_t  *vv;
+    ngx_http_core_main_conf_t  *cmcf;
+
+    hash = ngx_hash_key(name->data, name->len);
+
+    cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
+
+    v = ngx_hash_find(&cmcf->variables_hash, hash, name->data, name->len);
+
+    if (v) {
+        vv = &r->variables[v->index];
+        vv->valid = 0;
+
+        return NGX_OK;
+    }
+
+    return NGX_DECLINED;
+}
+
+
+ngx_int_t
+ngx_http_apisix_set_real_ip(ngx_http_request_t *r, const u_char *text, size_t len,
+                            unsigned int port)
+{
+    ngx_int_t           rc;
+    ngx_addr_t          addr;
+
+    rc = ngx_parse_addr(r->connection->pool, &addr, (u_char *) text, len);
+    if (rc != NGX_OK) {
+        return rc;
+    }
+
+    if (port == 0) {
+        port = ngx_inet_get_port(r->connection->sockaddr);
+    }
+    ngx_inet_set_port(addr.sockaddr, (in_port_t) port);
+
+    rc = ngx_http_realip_set_real_addr(r, &addr);
+    if (rc != NGX_DECLINED) {
+        return rc;
+    }
+
+    ngx_http_apisix_flush_var(r, &remote_addr);
+    ngx_http_apisix_flush_var(r, &remote_port);
+    ngx_http_apisix_flush_var(r, &realip_remote_addr);
+    ngx_http_apisix_flush_var(r, &realip_remote_port);
+
+    return NGX_OK;
+}
diff --git a/t/client_max_body_size.t b/t/client_max_body_size.t
diff --git a/t/real_ip.t b/t/real_ip.t
@@ -0,0 +1,160 @@
+use t::APISIX_NGINX 'no_plan';
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: set real ip
+--- config
+    location /t {
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            assert(client.set_real_ip("127.0.0.2"))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port == ngx.var.realip_remote_port)
+            ngx.say(ngx.var.realip_remote_addr)
+        }
+    }
+--- response_body
+127.0.0.2
+true
+127.0.0.1
+
+
+
+=== TEST 2: set real ip & port
+--- config
+    location /t {
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            assert(client.set_real_ip("172.1.1.2", 1289))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port == "1289")
+            ngx.say(ngx.var.realip_remote_addr)
+        }
+    }
+--- response_body
+172.1.1.2
+true
+127.0.0.1
+
+
+
+=== TEST 3: IPv6
+--- config
+    location /t {
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            assert(client.set_real_ip("1::2"))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port == ngx.var.realip_remote_port)
+        }
+    }
+--- response_body
+1::2
+true
+
+
+
+=== TEST 4: call twice
+--- http_config
+    log_format log '$realip_remote_addr:$realip_remote_port $remote_addr:$remote_port';
+--- config
+    access_log logs/access.log log;
+    location /t {
+        access_by_lua_block {
+            local client = require("resty.apisix.client")
+            assert(client.set_real_ip("172.1.2.3", 1234))
+        }
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.realip_remote_addr)
+            ngx.say(ngx.var.remote_port)
+            assert(client.set_real_ip("172.1.1.2", 12890))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port)
+            ngx.say(ngx.var.realip_remote_addr)
+            ngx.say(ngx.var.realip_remote_port)
+        }
+    }
+--- response_body
+172.1.2.3
+127.0.0.1
+1234
+172.1.1.2
+12890
+172.1.2.3
+1234
+--- access_log
+172.1.2.3:1234 172.1.1.2:12890
+
+
+
+=== TEST 5: use with realip module
+--- http_config
+    log_format log '$realip_remote_addr:$realip_remote_port $remote_addr:$remote_port';
+--- config
+    access_log logs/access.log log;
+    set_real_ip_from 0.0.0.0/0;
+    real_ip_header X-Forwarded-For;
+    location /t {
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.realip_remote_addr)
+            ngx.say(ngx.var.remote_port)
+            assert(client.set_real_ip("172.1.1.2", 12890))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port)
+            ngx.say(ngx.var.realip_remote_addr)
+            ngx.say(ngx.var.realip_remote_port)
+        }
+    }
+--- more_headers
+X-Forwarded-For: 172.1.2.3:1234
+--- response_body
+172.1.2.3
+127.0.0.1
+1234
+172.1.1.2
+12890
+172.1.2.3
+1234
+--- access_log
+172.1.2.3:1234 172.1.1.2:12890
+
+
+
+=== TEST 6: use with realip module, no port
+--- http_config
+    log_format log '$realip_remote_addr:$realip_remote_port $remote_addr:$remote_port';
+--- config
+    access_log logs/access.log log;
+    set_real_ip_from 0.0.0.0/0;
+    real_ip_header X-Forwarded-For;
+    location /t {
+        content_by_lua_block {
+            local client = require("resty.apisix.client")
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.realip_remote_addr)
+            ngx.say(ngx.var.remote_port)
+            assert(client.set_real_ip("172.1.1.2", 12890))
+            ngx.say(ngx.var.remote_addr)
+            ngx.say(ngx.var.remote_port)
+            ngx.say(ngx.var.realip_remote_port)
+            ngx.say(ngx.var.realip_remote_addr)
+        }
+    }
+--- more_headers
+X-Forwarded-For: 172.1.2.3
+--- response_body
+172.1.2.3
+127.0.0.1
+
+172.1.1.2
+12890
+
+172.1.2.3
+--- access_log
+172.1.2.3: 172.1.1.2:12890
