Merge pull request #2582 from puppetlabs/allow-remote-ip-proxy-protocol-at-vhost-level

smortex · web-flow · commit 00d529dc8e3f · 2025-01-08T11:07:45.000-10:00
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -1705,6 +1705,11 @@
 # @param userdir
 #   Instances of apache::mod::userdir
 #
+# @param proxy_protocol
+#   Enable or disable PROXY protocol handling
+#
+# @param proxy_protocol_exceptions
+#   Disable processing of PROXY header for certain hosts or networks
 define apache::vhost (
   Variant[Stdlib::Absolutepath, Boolean] $docroot,
   Boolean $manage_docroot                                                             = true,
@@ -1966,6 +1971,8 @@
   Apache::OIDCSettings $oidc_settings                                                 = {},
   Optional[Variant[Boolean, String]] $mdomain                                         = undef,
   Optional[Variant[String[1], Array[String[1]]]] $userdir                             = undef,
+  Optional[Boolean] $proxy_protocol                                                   = undef,
+  Array[Stdlib::Host] $proxy_protocol_exceptions                                      = [],
 ) {
   # The base class must be included first because it is used by parameter defaults
   if ! defined(Class['apache']) {
@@ -2955,6 +2962,21 @@
     }
   }
 
+  if $proxy_protocol != undef {
+    include apache::mod::remoteip
+
+    $proxy_protocol_params = {
+      proxy_protocol            => $proxy_protocol,
+      proxy_protocol_exceptions => $proxy_protocol_exceptions,
+    }
+
+    concat::fragment { "${name}-proxy_protocol":
+      target  => "${priority_real}${filename}.conf",
+      order   => 400,
+      content => epp('apache/vhost/_proxy_protocol.epp', $proxy_protocol_params),
+    }
+  }
+
   $file_footer_params = {
     'define'              => $define,
     'passenger_pre_start' => $passenger_pre_start,
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -551,7 +551,9 @@
                                    'ClientSecret' => 'aae053a9-4abf-4824-8956-e94b2af335c8',
                                    'CryptoPassphrase' => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
               'mdomain' => 'example.com example.net auto',
-              'userdir' => 'disabled'
+              'userdir' => 'disabled',
+              'proxy_protocol' => true,
+              'proxy_protocol_exceptions' => ['127.0.0.1', '10.0.0.0/8'],
             }
           end
 
@@ -968,6 +970,13 @@
               content: %r{^MDomain example\.com example\.net auto$},
             )
           }
+
+          it {
+            expect(subject).to contain_concat__fragment('rspec.example.com-proxy_protocol')
+              .with_content(%r{^\s+RemoteIPProxyProtocol On$})
+              .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 127\.0\.0\.1$})
+              .with_content(%r{^\s+RemoteIPProxyProtocolExceptions 10\.0\.0\.0/8$})
+          }
         end
 
         context 'vhost with proxy_add_headers true' do
diff --git a/templates/vhost/_proxy_protocol.epp b/templates/vhost/_proxy_protocol.epp
@@ -0,0 +1,8 @@
+<%- |
+  Boolean $proxy_protocol,
+  Array[Stdlib::Host] $proxy_protocol_exceptions,
+| -%>
+  RemoteIPProxyProtocol <%= apache::bool2httpd($proxy_protocol) %>
+<% $proxy_protocol_exceptions.each |$exception| { -%>
+  RemoteIPProxyProtocolExceptions <%= $exception %>
+<% } -%>
