set_real_ip_from (ngx_http_realip_module) should be a list

Question

set_real_ip_from (ngx_http_realip_module) should be a list

Closed this issue 6 months ago · 2 comments

Describe the bug

In the http/modules.j2 template, the realip macro assumes that set_real_ip_from can only ever be a single value. In reality, set_real_ip_from can (and likely often is) be defined multiple times.

To reproduce

Steps to reproduce the behavior:

Define a nginx_config_http_template_enable some like;

nginx_config_http_template_enable:
  - template_file: http/default.conf.j2
    deployment_location: /etc/nginx/conf.d/default.conf
    backup: false
    config:
      realip:
        ## BUG: set_real_ip_from in http/modules.j2 only allows a single value.
        set_real_ip_from:
          - 127.127.127.127/32
          - 10.10.10.10/32
          - 192.192.192.192/32
        real_ip_header: X-Forwarded-For

Deploy the Ansible NGINX configuration role using playbook.yml
Inspect set_real_ip_from value in /etc/nginx/conf.d/default.conf

Expected behavior

set_real_ip_from should allow multiple values like many other config items do.

Your environment

nginxinc.nginx_core 0.8.0
ansible-core 2.14
Jinja 3.1.3
Any deployment platform

Additional context

The macro realip in http/modules.j2 is defined as follows;

{# NGINX HTTP RealIP -- ngx_http_realip_module #}
{% macro realip(realip) %}
{% if realip['set_real_ip_from'] is defined %}
set_real_ip_from {{ realip['set_real_ip_from'] }};
{% endif %}
{% if realip['real_ip_header'] is defined %}
real_ip_header {{ realip['real_ip_header'] }};
{% endif %}
{% if realip['real_ip_recursive'] is defined and realip['real_ip_recursive'] is boolean %}
real_ip_recursive {{ realip['real_ip_recursive'] | ternary('on', 'off') }};
{% endif %}

I think this should be;

{# NGINX HTTP RealIP -- ngx_http_realip_module #}
{% macro realip(realip) %}
{% if realip['set_real_ip_from'] is defined %}
{% for set_real_ip_from in realip['set_real_ip_from'] if realip['set_real_ip_from'] is not string %}
set_real_ip_from {{ set_real_ip_from }};
{% else %}
set_real_ip_from {{ realip['set_real_ip_from'] }};
{% endfor %}
{% endif %}
{% if realip['real_ip_header'] is defined %}
real_ip_header {{ realip['real_ip_header'] }};
{% endif %}
{% if realip['real_ip_recursive'] is defined and realip['real_ip_recursive'] is boolean %}
real_ip_recursive {{ realip['real_ip_recursive'] | ternary('on', 'off') }};
{% endif %}

Answer 1 · 2024-03-20T14:00:35.000Z

You are absolutely right! Could you please open a PR?

Answer 2 · 2025-03-16T11:56:52.000Z

I also recently ran into this. @glbyers I see you have a commit that resolves this -- would you be willing to create a pull request with that commit? Thanks in advance!