fix(nginx): cloudflared remote_addr

2026-02-09 04:19:19 -08:00 · 2024-06-24 10:39:01 -07:00 · 2024-06-24 10:39:01 -07:00 · b5c1b9de84
commit b5c1b9de84
parent 0bcfd82a60
4 changed files with 89 additions and 18 deletions
--- a/modules/nixos/monitoring/source/promtail.nix
+++ b/modules/nixos/monitoring/source/promtail.nix
@ -75,21 +75,23 @@ in {
                stages = [
                  {
                    regex.expression = concatStringsSep " " [
-                      ''(?P<remote_addr>.*?)''
-                      ''(?P<remote_log_name>.*?)''
-                      ''(?P<userid>.*?)(@(?P<virtual_host>.*?))?''
+                      ''(?P<remote_addr>.*?)(@-|@(?P<request_scheme>.*?)|)''
+                      ''(-|(?P<remote_log_name>.*?))(@-|@(?P<request_id>.*?)|)''
+                      ''(-|(?P<userid>.*?))(@(?P<virtual_host>.*?))?''
                      ''\[(?P<timestamp>.*?)\]''
                      ''\"(?P<request_method>.*?) (?P<path>.*?)( (?P<request_version>HTTP/.*))?\"''
                      ''(?P<status>.*?)''
                      ''(?P<length>.*?)''
-                      ''\"(?P<referrer>.*?)\"''
-                      ''\"(?P<user_agent>.*?)\"''
+                      ''\"(-|(?P<referrer>.*?))\"''
+                      ''\"(-|(?P<user_agent>.*?))\"''
                    ];
                  }
                  {
                    labels = {
                      remote_addr = null;
                      remote_log_name = null;
+                      request_scheme = null;
+                      request_id = null;
                      userid = null;
                      virtual_host = null;
                      request_method = null;
--- a/modules/nixos/nginx/proxied.nix
+++ b/modules/nixos/nginx/proxied.nix
@ -1,4 +1,12 @@
 let
+  xCloudflared = {virtualHost}: let
+    host = if virtualHost.proxied.cloudflared.host == virtualHost.serverName
+      then "$server_name"
+      else "'${virtualHost.proxied.cloudflared.host}'";
+  in ''
+    set $proxied_cf on;
+    set $proxied_host_cf ${host};
+  '';
  xHeadersProxied = {xvars}: ''
    ${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"}
    if ($http_x_forwarded_proto) {
@ -11,6 +19,9 @@ let
    if ($http_x_real_ip) {
      ${xvars.init "remote_addr" "$http_x_real_ip"}
    }
+    if ($http_cf_connecting_ip) {
+      ${xvars.init "remote_addr" "$http_cf_connecting_ip"}
+    }
    if ($http_x_forwarded_host) {
      ${xvars.init "host" "$http_x_forwarded_host"}
    }
@ -66,6 +77,9 @@ let
      };
      xvars.enable = mkIf cfg.enabled true;
      extraConfig = mkMerge [
+        (mkIf (cfg.enable == "cloudflared" && virtualHost.proxied.enable != "cloudflared") (
+          mkJustBefore (xCloudflared {inherit virtualHost;})
+        ))
        (mkIf emitVars (
          mkJustBefore (xHeadersProxied {inherit xvars;})
        ))
@ -97,6 +111,10 @@ let
          default = cfg.enable != false;
        };
        cloudflared = {
+          host = mkOption {
+            type = str;
+            default = config.serverName;
+          };
          ingressSettings = mkOption {
            type = unmerged.types.attrs;
          };
@ -127,12 +145,19 @@ let
          mkIf (cfg.enable == "cloudflared") {
            ingressSettings.${config.serverName} = {
              service = "${scheme}://localhost:${toString listen.port}";
-              originRequest.${
+              originRequest = let
+                noTLSVerify =
                  if scheme == "https"
                  then "noTLSVerify"
-                else null
-              } =
-                true;
+                  else null;
+                httpHostHeader =
+                  if cfg.cloudflared.host != config.serverName
+                  then "httpHostHeader"
+                  else null;
+              in {
+                ${noTLSVerify} = true;
+                ${httpHostHeader} = cfg.cloudflared.host;
+              };
            };
            getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings;
          };
@ -146,9 +171,16 @@ let
        };
      };
      accessLog = mkIf cfg.enabled {
-        format = mkDefault "combined_proxied";
+        format = mkDefault (
+          if cfg.enable == "cloudflared"
+          then "combined_cloudflared"
+          else "combined_proxied"
+        );
      };
      extraConfig = mkMerge [
+        (mkIf (cfg.enable == "cloudflared") (
+          mkOrder orderJustBefore (xCloudflared {virtualHost = config;})
+        ))
        (mkIf (cfg.enabled && config.xvars.enable) (
          mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
        ))
@ -218,10 +250,46 @@ in
          };
        };
        commonHttpConfig = mkIf cfg.enable ''
-          log_format combined_proxied '$x_remote_addr proxied $remote_user@$x_host [$time_local] '
-                    '"$request" $status $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent"';
+          map "$http_cf_connecting_ip" $proxied_remote_addr_cf {
+            "" $remote_addr;
+            default $http_cf_connecting_ip;
+          }
+          map "$http_x_real_ip" $proxied_remote_addr_x {
+            "" $remote_addr;
+            default $http_x_real_ip;
+          }
+          map "$http_x_forwarded_host" $proxied_host_x {
+            "" $host;
+            default $http_x_forwarded_host;
+          }
+          map "$http_x_forwarded_server" $proxied_forwarded_server_x {
+            "" $proxied_host_x;
+            default $http_x_forwarded_server;
+          }
+          map "$http_x_forwarded_proto" $proxied_scheme {
+            "" $scheme;
+            default $http_x_forwarded_proto;
+          }
+          map "$proxied_scheme" $proxied_https {
+            "https" on;
+            default "";
+          }

+          map "$proxied_cf" $proxied_remote_addr {
+            "on" $proxied_remote_addr_cf;
+            default $proxied_remote_addr_x;
+          }
+          map "$proxied_cf" $proxied_host {
+            "on" $proxied_host_cf;
+            default $proxied_host_x;
+          }
+
+          log_format combined_proxied '$proxied_remote_addr@$proxied_scheme proxied $remote_user@$proxied_host [$time_local]'
+            ' "$request" $status $body_bytes_sent'
+            ' "$http_referer" "$http_user_agent"';
+          log_format combined_cloudflared '$proxied_remote_addr_cf@$proxied_scheme cloudflared@$http_cf_ray $remote_user@$proxied_host_cf [$time_local]'
+            ' "$request" $status $body_bytes_sent'
+            ' "$http_referer" "$http_user_agent"';
        '';
      };
      networking.firewall.interfaces.lan = mkIf nginx.enable {
--- a/modules/nixos/nginx/proxy.nix
+++ b/modules/nixos/nginx/proxy.nix
@ -160,6 +160,7 @@ let
          then xvars.get.proxy_hostport
          else cfg.host;
        Referer = xvars.get.referer;
+        CF-Connecting-IP = xvars.get.remote_addr;
        X-Real-IP = xvars.get.remote_addr;
        X-Forwarded-For = xvars.get.forwarded_for;
        X-Forwarded-Proto = xvars.get.scheme;
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@ -38,9 +38,9 @@ in {
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
-      log_format combined_host '$remote_addr - $remote_user@$host [$time_local] '
-                    '"$request" $status $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent"';
+      log_format combined_host '$remote_addr@$scheme - $remote_user@$host [$time_local]'
+        ' "$request" $status $body_bytes_sent'
+        ' "$http_referer" "$http_user_agent"';
    '';
    clientMaxBodySize = mkDefault "512m";
    virtualHosts.fallback = {