Merge pull request #511 from wunderio/release/2026-01-06

Release 2026-01-06

Author: ArtisKrumins

drupal/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: drupal
-version: 1.28.1
+version: 1.28.2
 dependencies:
 - name: mariadb
   version: 7.5.x

drupal/templates/_helpers.tpl

@@ -538,6 +538,7 @@ if [[ "$(drush status --fields=bootstrap)" = *'Successful'* ]] ; then
       --exclude="{{ $folderPattern }}" \
       {{ end -}}
       --delete --delete-excluded \
+      --ignore-missing-args \
       /app/reference-data/{{ $index }}
     {{ end -}}
     {{- end }}
@@ -619,11 +620,11 @@ if [ "${REF_DATA_COPY_FILES:-}" == "true" ]; then
   if [ -d "/app/reference-data/{{ $index }}" ] && [ -n "$(ls /app/reference-data/{{ $index }})" ]; then
     echo "Importing {{ $index }} files"
     # skip subfolders
-    rsync -r --delete --temp-dir=/tmp/ --filter "- */" "/app/reference-data/{{ $index }}/" "{{ $mount.mountPath }}" &
+    rsync -r --delete --ignore-missing-args --temp-dir=/tmp/ --filter "- */" "/app/reference-data/{{ $index }}/" "{{ $mount.mountPath }}" &
     # run rsync for each subfolder
     for f in /app/reference-data/{{ $index }}/*/; do
       subfolder="$(realpath -s $f)"
-      rsync -r --delete --temp-dir=/tmp/ "${subfolder}" "{{ $mount.mountPath }}" &
+      rsync -r --delete --ignore-missing-args --temp-dir=/tmp/ "${subfolder}" "{{ $mount.mountPath }}" &
     done
   fi
   {{ end -}}

drupal/templates/varnish-configmap-vcl.yaml

@@ -304,10 +304,29 @@ data:
         return(pipe);
       }
 
+      # Match upstream allowlist to supply headers containing real ip
+      if (client.ip ~ upstream_proxy && req.http.X-Envoy-External-Address) {
+        set req.http.X-Forwarded-For = req.http.X-Envoy-External-Address;
+        set req.http.X-Real-IP = req.http.X-Envoy-External-Address;
+      }
+      elseif (client.ip ~ upstream_proxy && req.http.X-Forwarded-For) {
+        set req.http.X-Real-IP = req.http.X-Forwarded-For;
+      }
+      elseif (client.ip ~ upstream_proxy && req.http.X-Real-IP) {
+        set req.http.X-Forwarded-For = req.http.X-Real-IP;
+      }
+      else {
+        set req.http.X-Forwarded-For = client.ip;
+        set req.http.X-Real-IP = client.ip;
+      }
+      
+      # Use first ip from X-Real-IP as parsed ip
+      set req.http.X-Parsed-IP = regsub(req.http.X-Real-IP, "[, ].*$", "");
+
       # Only allow BAN requests from IP addressees in the 'internal' ACL.
       if (req.method == "BAN") {
         # Admin port is only exposed to internal network
-        if (!client.ip ~ purge) {
+        if (!std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ purge || std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ upstream_proxy ) {
           return (synth(403, "Not allowed."));
         }
 
@@ -331,7 +350,7 @@ data:
       # Only allow URIBAN requests from IP addressees in the 'internal' ACL.
       if (req.method == "URIBAN") {
         # Admin port is only exposed to internal network
-        if (!client.ip ~ purge) {
+        if (!std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ purge || std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ upstream_proxy ) {
           return (synth(403, "Not allowed."));
         }
 
@@ -348,24 +367,6 @@ data:
         return (synth(200, "Ban added."));
       }
 
-      # Match upstream allowlist to supply headers containing real ip
-      if (client.ip ~ upstream_proxy && req.http.X-Envoy-External-Address) {
-        set req.http.X-Forwarded-For = req.http.X-Envoy-External-Address;
-        set req.http.X-Real-IP = req.http.X-Envoy-External-Address;
-      }
-      elseif (client.ip ~ upstream_proxy && req.http.X-Forwarded-For) {
-        set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
-        set req.http.X-Real-IP = req.http.X-Forwarded-For;
-      }
-      elseif (client.ip ~ upstream_proxy && req.http.X-Real-IP) {
-        set req.http.X-Forwarded-For = req.http.X-Real-IP;
-        set req.http.X-Real-IP = req.http.X-Real-IP;
-      }
-      else {
-        set req.http.X-Forwarded-For = client.ip;
-        set req.http.X-Real-IP = client.ip;
-      }
-
       # Only deal with "normal" types
       if (req.method != "GET"
         && req.method != "HEAD"
@@ -434,7 +435,7 @@ data:
         return (synth( 403, "Forbidden"));
       }
 
-      if (req.http.Authorization || client.ip ~ internal) {
+      if (req.http.Authorization || ( std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ internal && std.ip(req.http.X-Parsed-IP, "0.0.0.0") !~ upstream_proxy )) {
         # Not cacheable by default
         return (pass);
       }
@@ -460,7 +461,7 @@ data:
       }
 
       # Do not allow public access to cron.php , update.php or install.php.
-      if (req.url ~ "^(?:/core)?/(?:cron|install|update)\.php$" && !client.ip ~ internal) {
+      if (req.url ~ "^(?:/core)?/(?:cron|install|update)\.php$" && (!std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ internal || std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ upstream_proxy)) {
         # Have Varnish throw the error directly.
         return (synth( 404, "Page not found."));
       }

frontend/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: frontend
-version: 1.25.0
+version: 1.25.1
 dependencies:
 - name: mariadb
   version: 7.10.x

frontend/templates/varnish-configmap-vcl.yaml

@@ -24,6 +24,15 @@ data:
       {{- end }}
     }
 
+    # Define the purge network access.
+    # These are used below to allow cache purging via BAN.
+    acl purge {
+      "127.0.0.1";
+      {{- range .Values.nginx.noauthips }}
+      {{ . | quote }};
+      {{- end }}
+    }
+
     # List of upstream proxies we trust to set X-Forwarded-For correctly.
     acl upstream_proxy {
       {{- if kindIs "string" .Values.nginx.realipfrom }}
@@ -56,10 +65,29 @@ data:
         return (synth(400));
       }
 
+      # Match upstream allowlist to supply headers containing real ip
+      if (client.ip ~ upstream_proxy && req.http.X-Envoy-External-Address) {
+        set req.http.X-Forwarded-For = req.http.X-Envoy-External-Address;
+        set req.http.X-Real-IP = req.http.X-Envoy-External-Address;
+      }
+      elseif (client.ip ~ upstream_proxy && req.http.X-Forwarded-For) {
+        set req.http.X-Real-IP = req.http.X-Forwarded-For;
+      }
+      elseif (client.ip ~ upstream_proxy && req.http.X-Real-IP) {
+        set req.http.X-Forwarded-For = req.http.X-Real-IP;
+      }
+      else {
+        set req.http.X-Forwarded-For = client.ip;
+        set req.http.X-Real-IP = client.ip;
+      }
+      
+      # Use first ip from X-Real-IP as parsed ip
+      set req.http.X-Parsed-IP = regsub(req.http.X-Real-IP, "[, ].*$", "");
+
       # Only allow BAN requests from IP addressees in the 'internal' ACL.
       if (req.method == "BAN") {
         # Admin port is only exposed to internal network
-        if (!client.ip ~ internal) {
+        if (!std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ purge || std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ upstream_proxy ) {
           return (synth(403, "Not allowed."));
         }
 
@@ -79,7 +107,7 @@ data:
       # Only allow URIBAN requests from IP addressees in the 'internal' ACL.
       if (req.method == "URIBAN") {
         # Admin port is only exposed to internal network
-        if (!client.ip ~ internal) {
+        if (!std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ purge || std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ upstream_proxy ) {
           return (synth(403, "Not allowed."));
         }
 
@@ -95,24 +123,6 @@ data:
         return (synth(200, "Ban added."));
       }
 
-      # Match upstream allowlist to supply headers containing real ip
-      if (client.ip ~ upstream_proxy && req.http.X-Envoy-External-Address) {
-        set req.http.X-Forwarded-For = req.http.X-Envoy-External-Address;
-        set req.http.X-Real-IP = req.http.X-Envoy-External-Address;
-      }
-      elseif (client.ip ~ upstream_proxy && req.http.X-Forwarded-For) {
-        set req.http.X-Forwarded-For = req.http.X-Forwarded-For;
-        set req.http.X-Real-IP = req.http.X-Forwarded-For;
-      }
-      elseif (client.ip ~ upstream_proxy && req.http.X-Real-IP) {
-        set req.http.X-Forwarded-For = req.http.X-Real-IP;
-        set req.http.X-Real-IP = req.http.X-Real-IP;
-      }
-      else {
-        set req.http.X-Forwarded-For = client.ip;
-        set req.http.X-Real-IP = client.ip;
-      }
-
       # Check request methods
       if (req.method == "PRI") {
         # This will never happen in properly formed traffic.
@@ -135,7 +145,7 @@ data:
       }
 
       # Do not cache requests with Authorization header
-      if (req.http.Authorization || client.ip ~ internal) {
+      if (req.http.Authorization || ( std.ip(req.http.X-Parsed-IP, "0.0.0.0") ~ internal && std.ip(req.http.X-Parsed-IP, "0.0.0.0") !~ upstream_proxy )) {
         return (pass);
       }