feat: add switch to enable real-ip forwarding

MoeexT · MoeexT · commit 432b07ce1a07 · 2026-03-25T15:00:43.000+08:00
diff --git a/deployment/helm/datamate/values.yaml b/deployment/helm/datamate/values.yaml
@@ -183,6 +183,8 @@ frontend:
         secretKeyRef:
           name: datamate-conf
           key: DOMAIN
+    - name: REAL_IP_MODE
+      value: "off"
   volumes:
     - *logVolume
     - name: cert-volume
diff --git a/scripts/images/frontend/Dockerfile b/scripts/images/frontend/Dockerfile
@@ -22,13 +22,15 @@ COPY --from=builder /app/dist /opt/frontend/statics
 COPY scripts/images/frontend/routes.inc /opt/frontend/routes.inc
 COPY scripts/images/frontend/http_backend.conf /opt/frontend/http_backend.conf
 COPY scripts/images/frontend/https_backend.conf /opt/frontend/https_backend.conf
+COPY scripts/images/frontend/nginx.conf /opt/frontend/nginx.conf
 
 COPY scripts/images/frontend/start.sh /opt/frontend/start.sh
 
 RUN dos2unix /opt/frontend/start.sh \
     && chmod +x /opt/frontend/start.sh \
     && mkdir -p /etc/nginx/cert \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && rm -f /etc/nginx/nginx.conf \
     && rm -f /etc/nginx/conf.d/default.conf
 
 EXPOSE 3000
diff --git a/scripts/images/frontend/nginx.conf b/scripts/images/frontend/nginx.conf
@@ -0,0 +1,32 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/scripts/images/frontend/start.sh b/scripts/images/frontend/start.sh
@@ -1,5 +1,17 @@
 #!/bin/bash
 
+function set_proxy_protocol() {
+    if [ "${REAL_IP_MODE}" != "proxy_protocol" ]; then
+        echo "REAL_IP_MODE is ${REAL_IP_MODE}, no need to update nginx configuration file."
+        return 0
+    fi
+    sed -i 's/listen       3000;/listen       3000 proxy_protocol;/' /opt/frontend/http_backend.conf
+    sed -i 's/listen       3000;/listen       3000 proxy_protocol;/' /opt/frontend/https_backend.conf
+    sed -i '/access_log.*main/a\    set_real_ip_from 0.0.0.0/0;' /opt/frontend/nginx.conf
+    sed -i '/access_log.*main/a\    real_ip_header proxy_protocol;' /opt/frontend/nginx.conf
+    echo "ginx configuration file updated."
+}
+
 if [ -f "/cert/server.pem" ]; then
     cp /cert/server.pem /etc/nginx/cert/server.pem
     chown nginx:nginx /etc/nginx/cert/server.pem
@@ -18,6 +30,8 @@ if [ -f "/cert/server.key" ]; then
     chown nginx:nginx /etc/nginx/cert/server.key
 fi
 
+set_proxy_protocol
+cp /opt/frontend/nginx.conf /etc/nginx/nginx.conf
 if [ -f "/etc/nginx/cert/server.pem" ]; then
     cp /opt/frontend/https_backend.conf /etc/nginx/conf.d/default.conf
     cp /opt/frontend/routes.inc /etc/nginx/conf.d/routes.inc
