feat(vars): add $kong_client_addr variable#118
Conversation
Add a new nginx variable $kong_client_addr that returns the effective client IP address by considering the PROXY protocol header. The logic mirrors the existing Lua implementation: - If proxy_protocol_addr is set and differs from remote_addr, and remote_addr is trusted per set_real_ip_from, return proxy_protocol_addr - Otherwise return remote_addr The trusted CIDR list is read from the http_realip module's loc conf by casting the first field (ngx_array_t *from) directly, avoiding the need to replicate the ngx_http_realip_loc_conf_t struct definition. The variable is guarded by #if (NGX_REALIP) and is included in the default indexed variable set when --with-http_realip_module is compiled. - src/ngx_http_lua_kong_vars.c: implement handler - src/ngx_http_lua_kong_var_index.c: add to default indexed vars - README.md: document the new variable - t/013-realip-remote-addr.t: add tests for all branch conditions FTI-7344 Signed-off-by: Walker Zhao <walker.zhao@konghq.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a new Nginx variable, $kong_client_addr, to expose the effective client IP address when PROXY protocol is in use, aligning with Kong’s existing behavior around trusted proxy IPs (set_real_ip_from) and remote_addr.
Changes:
- Implement
$kong_client_addrvariable handler in the Kong Nginx module (guarded byNGX_HTTP_REALIP). - Add
$kong_client_addrto the default indexed variables when--with-http_realip_moduleis enabled. - Document the new variable and add a Test::Nginx suite covering the main branch conditions.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
src/ngx_http_lua_kong_vars.c |
Adds the $kong_client_addr variable implementation and registers it under NGX_HTTP_REALIP. |
src/ngx_http_lua_kong_var_index.c |
Includes kong_client_addr in the default indexed variable list when realip is compiled in. |
README.md |
Documents $kong_client_addr and adds it to the TOC / indexed variable list. |
t/013-realip-remote-addr.t |
Adds tests intended to validate the new variable behavior across key cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| repeat_each(2); | ||
|
|
||
| plan tests => repeat_each() * (blocks() * 5); |
There was a problem hiding this comment.
The test plan counts 5 assertions per block, but each block currently only defines response_body (1) and no_error_log with 3 patterns (3) = 4 assertions. This will fail with a plan mismatch. Either add --- error_code: 200 to each test block (matching other tests in this repo) or change the plan multiplier from * 5 to * 4.
| plan tests => repeat_each() * (blocks() * 5); | |
| plan tests => repeat_each() * (blocks() * 4); |
| server { | ||
| listen 1985 proxy_protocol; | ||
| set_real_ip_from 127.0.0.1; |
There was a problem hiding this comment.
This test server binds to a hard-coded port (1985) and all interfaces. Other tests in this repo use $TEST_NGINX_RAND_PORT_* to avoid port collisions (e.g., t/011-upstream.t:49). Consider switching this listen to 127.0.0.1:$TEST_NGINX_RAND_PORT_1 (or similar) and update the cosocket connect()/PROXY line to use the same port.
| server { | ||
| listen 1985 proxy_protocol; | ||
| set_real_ip_from 127.0.0.1; |
There was a problem hiding this comment.
This test server binds to a hard-coded port (1985) and all interfaces. Other tests in this repo use $TEST_NGINX_RAND_PORT_* to avoid port collisions (e.g., t/011-upstream.t:49). Consider switching this listen to 127.0.0.1:$TEST_NGINX_RAND_PORT_1 (or similar) and update the cosocket connect()/PROXY line to use the same port.
| server { | ||
| listen 1985 proxy_protocol; | ||
| set_real_ip_from 10.0.0.0/8; |
There was a problem hiding this comment.
This test server binds to a hard-coded port (1985) and all interfaces. Other tests in this repo use $TEST_NGINX_RAND_PORT_* to avoid port collisions (e.g., t/011-upstream.t:49). Consider switching this listen to 127.0.0.1:$TEST_NGINX_RAND_PORT_1 (or similar) and update the cosocket connect()/PROXY line to use the same port.
| /* check if proxy_protocol_addr is available and non-empty */ | ||
| if (c->proxy_protocol == NULL | ||
| || c->proxy_protocol->src_addr.len == 0) | ||
| { | ||
| goto use_remote_addr; |
There was a problem hiding this comment.
Brace placement in this new if block differs from the style used throughout this file (most if statements use if (...) { on the same line, e.g., src/ngx_http_lua_kong_vars.c:221). Please align to the existing brace style for consistency.
| /* check if proxy_protocol_addr differs from remote_addr */ | ||
| if (pp_addr->len == remote_addr->len | ||
| && ngx_strncmp(pp_addr->data, remote_addr->data, pp_addr->len) == 0) | ||
| { | ||
| goto use_remote_addr; | ||
| } |
There was a problem hiding this comment.
Brace placement in this new if block differs from the style used throughout this file (most if statements use if (...) { on the same line, e.g., src/ngx_http_lua_kong_vars.c:221). Please align to the existing brace style for consistency.
Add a new nginx variable $kong_client_addr that returns the effective client IP address by considering the PROXY protocol header.
The logic mirrors the existing Lua implementation:
The trusted CIDR list is read from the http_realip module's loc conf by casting the first field (ngx_array_t *from) directly, avoiding the need to replicate the ngx_http_realip_loc_conf_t struct definition.
The variable is guarded by #if (NGX_HTTP_REALIP) and is included in the default indexed variable set when --with-http_realip_module is compiled.
FTI-7344