fix: ensure ingress-nginx uses the incoming X-Forwarded-For header
Description
Currently, ingress-nginx
does not forward the X-Forwarded-For
header from the incoming request.
Instead, it passes the IP it itself sees to X-Forwarded-For
and sends the original values to X-Original-Forwarded-For
.
This creates an issue when we are trying to deal with rate limits in Open edX or perhaps just want to use the full IP stack for analytics.
In this MR, we are adding the compute-full-forwarded-for
config, which along with the existing use-forwarded-headers
makes sure ingress-nginx
retains the original values of X-Forwarded-For
header and only appends to it.
Doing this is safe as Open edX has in-built checks which ensure that only the right-most IP from X-Forwarded-For
is used which would remain unaffected by this change. Also, X-Original-Forwarded-For
header is still passed despite this change, which means the "untrusted" IPs can still be identified if so required.
Supporting information
Link to other information about the change, such as GitLab issues, GitHub issues, forum discussions. Be sure to check they are publicly readable, or if not, repeat the information here.
Testing instructions
Steps to test the changes:
- TBD
Dependencies
List the dependencies required for this change, if any. Do not forget to link grove-template merge request here if that's affected by this change.
Screenshots
If applicable, add screenshots to help explain your feature.
Checklist
If any of the items below is not applicable, do not remove them, but put a check in it.
-
All providers include the new feature/change -
All affected providers can provision new clusters -
Unit tests are added/updated -
Documentation is added/updated -
The TOOLS_CONTAINER_IMAGE_VERSION
in ci_vars.yml is updated -
The grove-template repository is updated