From dd894f0f73f00e06de568ec837fd0f99429ef2f1 Mon Sep 17 00:00:00 2001
From: Payam Hekmat <payam.hekmat@gmail.com>
Date: Thu, 11 May 2017 21:55:35 -0500
Subject: [PATCH] Add config for X-Forwarded-For trust

Use the same config option for `set_real_ip_from` when not using proxy protocol. The default remains `0.0.0.0/0`, which is insecure if the ingress is publicly accessible. This at least provides a workaround for #200
---
 controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index ba4d8f78e3..1b81847002 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -23,8 +23,8 @@ http {
     set_real_ip_from    {{ $cfg.ProxyRealIPCIDR }};
     real_ip_header      proxy_protocol;
     {{ else }}
+    set_real_ip_from    {{ $cfg.ProxyRealIPCIDR }};
     real_ip_header      X-Forwarded-For;
-    set_real_ip_from    0.0.0.0/0;
     {{ end }}
 
     real_ip_recursive   on;