From 0d9d9324917769396735e0a2e028365a7fce8820 Mon Sep 17 00:00:00 2001
From: Neil Hanlon <neil@rockylinux.org>
Date: Tue, 10 Oct 2023 20:54:36 -0400
Subject: [PATCH] use realip module in nginx to log true client IP

---
 .../nginx/conf.d/repopool-http-production.conf.j2    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/templates/etc/nginx/conf.d/repopool-http-production.conf.j2 b/templates/etc/nginx/conf.d/repopool-http-production.conf.j2
index 56021fe..270a212 100644
--- a/templates/etc/nginx/conf.d/repopool-http-production.conf.j2
+++ b/templates/etc/nginx/conf.d/repopool-http-production.conf.j2
@@ -4,6 +4,12 @@
         server_name  _;
         root         /mnt/repos-production/mirror;
 
+        # Fastly sets the client IP in this header (and it cannot be overriden by user)
+        real_ip_header Fastly-Client-IP;
+        real_ip_recursive on;
+        set_real_ip_from 10.32.0.0/16;
+        set_real_ip_from ::/0;
+
         location / {
                 autoindex on;
         }
@@ -41,6 +47,12 @@
         ssl_certificate_key /etc/pki/tls/private/dl.rockylinux.org.key;
         ssl_ciphers  HIGH:!aNULL:!MD5;
 
+        # Fastly sets the client IP in this header (and it cannot be overriden by user)
+        real_ip_header Fastly-Client-IP;
+        real_ip_recursive on;
+        set_real_ip_from 10.32.0.0/16;
+        set_real_ip_from ::/0;
+
         location / {
                 autoindex on;
         }