From db62b557c1b00af3be7412c525a8ab6f95c7e168 Mon Sep 17 00:00:00 2001 From: "vichao.s" Date: Fri, 14 Nov 2025 16:54:46 +0700 Subject: [PATCH 1/3] feat: add configurable real_ip_header option for nginx - Add apisix.nginx.realIpHeader configuration in values.yaml - Update configmap.yaml template to use configurable value - Default to X-Real-IP for backward compatibility This allows users to customize which header nginx uses to extract the real client IP address, supporting various load balancer and proxy configurations (e.g., X-Forwarded-For, CF-Connecting-IP). --- charts/apisix/templates/configmap.yaml | 2 +- charts/apisix/values.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml index 18e3ad4d..cb43e993 100644 --- a/charts/apisix/templates/configmap.yaml +++ b/charts/apisix/templates/configmap.yaml @@ -202,7 +202,7 @@ data: client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed underscores_in_headers: "on" # default enables the use of underscores in client request header fields - real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header + real_ip_header: {{ .Values.apisix.nginx.realIpHeader | quote }} # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from - 127.0.0.1 - 'unix:' diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml index d4140f4c..b8b936d7 100644 --- a/charts/apisix/values.yaml +++ b/charts/apisix/values.yaml @@ -418,6 +418,9 @@ apisix: enableCPUAffinity: true # -- Timeout during which a keep-alive client connection will stay open on the server side. keepaliveTimeout: 60s + # -- The name of the header from which to extract the real client IP address + # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header + realIpHeader: "X-Real-IP" envs: [] # access log and error log configuration logs: From 0ae4c0651b9e9eb50f62517ccf6f2979839ed34f Mon Sep 17 00:00:00 2001 From: "vichao.s" Date: Mon, 1 Dec 2025 10:58:44 +0700 Subject: [PATCH 2/3] feat: add realIpFrom configuration for trusted addresses in nginx --- charts/apisix/templates/configmap.yaml | 4 ++++ charts/apisix/values.yaml | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml index 25970aaa..0b4546f2 100644 --- a/charts/apisix/templates/configmap.yaml +++ b/charts/apisix/templates/configmap.yaml @@ -209,8 +209,12 @@ data: underscores_in_headers: "on" # default enables the use of underscores in client request header fields real_ip_header: {{ .Values.apisix.nginx.realIpHeader | quote }} # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from + {{- if .Values.apisix.nginx.realIpFrom }} + {{- toYaml .Values.apisix.nginx.realIpFrom | nindent 10 }} + {{- else }} - 127.0.0.1 - 'unix:' + {{- end }} {{- if .Values.apisix.nginx.customLuaSharedDicts }} custom_lua_shared_dict: # add custom shared cache to nginx.conf {{- range $dict := .Values.apisix.nginx.customLuaSharedDicts }} diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml index a77c69fd..d67907c6 100644 --- a/charts/apisix/values.yaml +++ b/charts/apisix/values.yaml @@ -421,6 +421,11 @@ apisix: # -- The name of the header from which to extract the real client IP address # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header realIpHeader: "X-Real-IP" + # -- Defines trusted addresses that are known to send correct replacement addresses. + # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from + realIpFrom: + - 127.0.0.1 + - 'unix:' envs: [] # access log and error log configuration logs: From fcfd53a12d4498a21433c818515853afbfd54918 Mon Sep 17 00:00:00 2001 From: "vichao.s" Date: Mon, 1 Dec 2025 11:08:09 +0700 Subject: [PATCH 3/3] feat: Update README.md via helm-docs --- charts/apisix/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/apisix/README.md b/charts/apisix/README.md index 225e0ca3..04011722 100644 --- a/charts/apisix/README.md +++ b/charts/apisix/README.md @@ -105,6 +105,8 @@ The command removes all the Kubernetes components associated with the chart and | apisix.nginx.logs.errorLog | string | `"/dev/stderr"` | Error log path | | apisix.nginx.logs.errorLogLevel | string | `"warn"` | Error log level | | apisix.nginx.luaSharedDicts | list | `[]` | Override default [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L250-L276) settings, click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict | +| apisix.nginx.realIpFrom | list | `["127.0.0.1","unix:"]` | Defines trusted addresses that are known to send correct replacement addresses. http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from | +| apisix.nginx.realIpHeader | string | `"X-Real-IP"` | The name of the header from which to extract the real client IP address http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header | | apisix.nginx.workerConnections | string | `"10620"` | | | apisix.nginx.workerProcesses | string | `"auto"` | | | apisix.nginx.workerRlimitNofile | string | `"20480"` | |