Implement RealIP module (#240)

Author: alessfg

CHANGELOG.md

@@ -10,7 +10,7 @@ ENHANCEMENTS:
 
 * Bump the Ansible `community.general` collection to `4.6.1` and `community.docker` collection to `2.2.1`.
 * Add labels to loops in `tasks/config/template-config.yml` to reduce amount of output data.
-* Add the `map` and `split_clients` directives into the `http` core template.
+* Implement the `map`, `realip` and `split_clients` modules into the `http` core template.
 * Streamline configuring SELinux.
 
 BUG FIXES:

defaults/main/template.yml

@@ -641,6 +641,10 @@ nginx_config_http_template:
           content:  # Dictionary or list of dictionaries
             - value: default
               new_value: 0
+      realip:  # Configure RealIP directives
+        set_real_ip_from: 0.0.0.0
+        real_ip_header: X-Real-IP
+        real_ip_recursive: false  # Boolean
       rewrite:  # Configure rewrite directives
         return:  # Can also be set to a return URL or code directly -- Not available in the 'http' context
           code: 200  # Required -- You have to set either 'code' or 'url'

molecule/default/converge.yml

@@ -502,6 +502,10 @@
                         new_value: 0
                       - value: '"~jndi:ldap"'
                         new_value: 1
+              realip:
+                set_real_ip_from: 0.0.0.0
+                real_ip_header: X-Real-IP
+                real_ip_recursive: false
               rewrite:
                 log: false
                 uninitialized_variable_warn: false

molecule/plus/converge.yml

@@ -296,6 +296,10 @@
                         new_value: 0
                       - value: '"~jndi:ldap"'
                         new_value: 1
+              realip:
+                set_real_ip_from: 0.0.0.0
+                real_ip_header: X-Real-IP
+                real_ip_recursive: false
               rewrite:
                 log: false
                 uninitialized_variable_warn: false

templates/http/default.conf.j2

@@ -84,6 +84,10 @@
 {% from 'http/modules.j2' import map with context %}
 {{ map(item['config']['map']) }}
 {%- endif %}
+{% if item['config']['realip'] is defined %}
+{% from 'http/modules.j2' import realip with context %}
+{{ realip(item['config']['realip']) }}
+{%- endif %}
 {% if item['config']['rewrite'] is defined %}
 {% from 'http/modules.j2' import rewrite with context %}
 {{ rewrite(item['config']['rewrite']) }}
@@ -218,6 +222,12 @@ server {
     {{ log(server['log']) }}
 {%- endfilter %}
 {% endif %}
+{% if server['realip'] is defined %}
+{% from 'http/modules.j2' import realip with context %}
+{% filter indent(4) %}
+    {{ realip(server['realip']) }}
+{%- endfilter %}
+{% endif %}
 {% if server['rewrite'] is defined %}
 {% from 'http/modules.j2' import rewrite with context %}
 {% filter indent(4) %}
@@ -348,6 +358,12 @@ server {
         {{ log(location['log']) }}
 {%- endfilter %}
 {% endif %}
+{% if location['realip'] is defined %}
+{% from 'http/modules.j2' import realip with context %}
+{% filter indent(8) %}
+        {{ realip(location['realip']) }}
+{%- endfilter %}
+{% endif %}
 {% if location['rewrite'] is defined %}
 {% from 'http/modules.j2' import rewrite with context %}
 {% filter indent(8) %}

templates/http/modules.j2

@@ -225,6 +225,20 @@ map {{ map_data['string'] }} {{ map_data['variable'] }} {
 
 {% endmacro %}
 
+{# NGINX HTTP RealIP -- ngx_http_realip_module #}
+{% macro realip(realip) %}
+{% if realip['set_real_ip_from'] is defined %}
+set_real_ip_from {{ realip['set_real_ip_from'] }};
+{% endif %}
+{% if realip['real_ip_header'] is defined %}
+real_ip_header {{ realip['real_ip_header'] }};
+{% endif %}
+{% if realip['real_ip_recursive'] is defined and realip['real_ip_recursive'] is boolean %}
+real_ip_recursive {{ realip['real_ip_recursive'] | ternary('on', 'off') }};
+{% endif %}
+
+{% endmacro %}
+
 {# NGINX HTTP Rewrite -- ngx_http_rewrite_module #}
 {% macro rewrite(rewrite) %}
 {% if rewrite['return'] is defined %}{# 'return' directive is not available in the 'http' context #}