updates based on reviews

internal/mode/static/nginx/config/servers.go

@@ -830,23 +830,25 @@ func generateProxySetHeaders(filters *dataplane.HTTPFilters, grpc bool) []http.H
 }
 
 func setHeaderForHTTPSRedirect(filters *dataplane.HTTPFilters, headers []http.Header) {
-	if filters != nil {
-		if filters.RequestURLRewrite != nil && filters.RequestURLRewrite.Hostname != nil {
-			for i, header := range headers {
-				if header.Name == "Host" {
-					headers[i].Value = *filters.RequestURLRewrite.Hostname
-					break
-				}
+	if filters == nil {
+		return
+	}
+
+	if filters.RequestURLRewrite != nil && filters.RequestURLRewrite.Hostname != nil {
+		for i, header := range headers {
+			if header.Name == "Host" {
+				headers[i].Value = *filters.RequestURLRewrite.Hostname
+				break
 			}
 		}
-		if filters.RequestRedirect != nil &&
-			filters.RequestRedirect.Scheme != nil &&
-			*filters.RequestRedirect.Scheme == http.HTTPSScheme {
-			for i, header := range headers {
-				if header.Name == "X-Forwarded-Proto" {
-					headers[i].Value = http.HTTPSScheme
-					return
-				}
+	}
+	if filters.RequestRedirect != nil &&
+		filters.RequestRedirect.Scheme != nil &&
+		*filters.RequestRedirect.Scheme == http.HTTPSScheme {
+		for i, header := range headers {
+			if header.Name == "X-Forwarded-Proto" {
+				headers[i].Value = http.HTTPSScheme
+				return
 			}
 		}
 	}

internal/mode/static/nginx/config/servers_test.go

@@ -342,6 +342,7 @@ func TestExecuteServers_RewriteClientIP(t *testing.T) {
 				"listen [::]:8080 proxy_protocol;":                         1,
 				"listen [::]:8443 ssl default_server proxy_protocol;":      1,
 				"listen [::]:8443 ssl proxy_protocol;":                     1,
+				"real_ip_recursive on;":                                    0,
 			},
 		},
 		{

internal/mode/static/nginx/config/stream_servers.go

@@ -67,6 +67,7 @@ func createStreamServers(conf dataplane.Configuration) []stream.Server {
 
 		portSet[server.Port] = struct{}{}
 
+		// we do not evaluate rewriteClientIP settings for non-socket stream servers
 		streamServer := stream.Server{
 			Listen:     fmt.Sprint(server.Port),
 			StatusZone: server.Hostname,

internal/mode/static/state/dataplane/configuration.go

@@ -863,8 +863,8 @@ func buildBaseHTTPConfig(g *graph.Graph) BaseHTTPConfig {
 		}
 
 		if len(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses) > 0 {
-			trustedAddresses := convertTrustedAddresses(g)
-			baseConfig.RewriteClientIPSettings.TrustedAddresses = convertTrustedAddresses(g)
+			trustedAddresses := convertTrustedAddresses(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses)
+			baseConfig.RewriteClientIPSettings.TrustedAddresses = trustedAddresses
 		}
 
 		if g.NginxProxy.Source.Spec.RewriteClientIP.SetIPRecursively != nil {
@@ -893,9 +893,9 @@ func buildPolicies(graphPolicies []*graph.Policy) []policies.Policy {
 	return finalPolicies
 }
 
-func convertTrustedAddresses(g *graph.Graph) []string {
-	trustedAddresses := make([]string, len(g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses))
-	for i, addr := range g.NginxProxy.Source.Spec.RewriteClientIP.TrustedAddresses {
+func convertTrustedAddresses(addresses []ngfAPI.TrustedAddress) []string {
+	trustedAddresses := make([]string, len(addresses))
+	for i, addr := range addresses {
 		trustedAddresses[i] = string(addr)
 	}
 	return trustedAddresses

site/content/how-to/monitoring/troubleshooting.md

@@ -465,7 +465,7 @@ If you check your _nginx_ container logs and see the following error:
 
 It indicates that `proxy_protocol` is enabled for the gateway listeners, but the request sent to the application endpoint does not contain proxy information. To **resolve** this, you can do one of the following:
 
-- Disable field [`rewriteClientIP.mode`](({{< relref "reference/api.md" >}})) in the NginxProxy configuration.
+- Unassign the field [`rewriteClientIP.mode`](({{< relref "reference/api.md" >}})) in the NginxProxy configuration.
 
 - Send valid proxy information with requests being handled by your application.