Resolve "Show original external IPs in kubectl logs"

02fd1002 · Maarten de Waard · Arie Peterson · cc835fa0 · 02fd1002 · 02fd1002
Commit 02fd1002 authored 4 years ago by Maarten de Waard Committed by Arie Peterson 4 years ago
--- a/README.md
+++ b/README.md
@@ -14,7 +14,13 @@
   ```
   $ helm repo add bitnami https://charts.bitnami.com/bitnami
   ```
+5. The chart assumes you have nginx ingress running in IP range `10.0.0.0/8`. If
+   you do, the access logs will show remote IP addresses from the
+   `X-Forwarded-For` header. Otherwise, the proxy IP address is shown in the
+   access logs.

+   If you don't use `nginx` ingress and you enable `mu_cron`, make sure to block
+   the path from `wordpress.mu_cron.cronjob.path` from outside traffic.

 ### Start WordPress on Kubernetes


--- a/values-local.yaml.example
+++ b/values-local.yaml.example
@@ -48,6 +48,8 @@ wordpress:
    # # correctly. Defaults to `/wp-login.php`. Be sure to make this the same as
    # # alt_path if you use it!
    # probe_path: /wp-login.php
+    # Turn on WordPress' debug mode
+    # debug: true
  wp_content:
    # The directory to mount the files placed in wp-content. You shouldn't have to
    # change this.

--- a/values.yaml
+++ b/values.yaml
@@ -114,6 +114,8 @@ wordpress:
    # Path used by the liveness and readiness probes to see if the site runs
    # correctly.
    probe_path: /wp-login.php
+    # Set to true to set WP_DEBUG on in the configuration
+    debug: false

  wp_content:
    ## The directory to mount the files placed in wp-content. You shouldn't have to
@@ -340,6 +342,7 @@ ansibleSecrets: |
  WP_CONTENT_REPO_URL: https://{{ .Values.git_repo.token_user }}:{{ .Values.git_repo.token_key }}@{{ .Values.git_repo.url }}{{ .Values.git_repo.name }}
  WP_OPENID_CONNECT_ROLE_MAPPING_ENABLED: {{ .Values.openid_connect_settings.role_mapping_enabled }}
  WP_CONTENT_REPO_VERSION: {{ .Values.git_repo.version }}
+  WP_DEBUG: {{ .Values.wordpress.site.debug }}
  WP_EMAIL: {{ .Values.wordpress.config.adm.email }}
  WP_PASS: {{ .Values.wordpress.config.adm.pssw }}
  WP_REDIS_ENABLED: {{ .Values.redis.enabled }}

--- a/wp-cli-docker/roles/wordpress-init/tasks/main.yml
+++ b/wp-cli-docker/roles/wordpress-init/tasks/main.yml
@@ -130,7 +130,7 @@
  block:
    - debug:
        msg: "Trying the configured theme - {{ WP_THEME }}"
-    - name: Activate theme if exists in wp-content-repo 
+    - name: Activate theme if exists in wp-content-repo
      shell: wp {{ cli_args }} theme activate "{{ WP_THEME }}"
    - debug:
        msg: 'Success'
@@ -138,7 +138,7 @@
    - debug:
        msg: 'Local theme does not exist or error'
    - name: Pull the default theme set in values.yaml and then activate
-      shell: wp {{ cli_args }} theme install "{{ WP_THEME_FALLBACK }}" --activate 
+      shell: wp {{ cli_args }} theme install "{{ WP_THEME_FALLBACK }}" --activate
    - debug:
        msg: "Fallback theme {{ WP_THEME_FALLBACK }} has been installed"

@@ -149,14 +149,18 @@
  loop_control:
    loop_var: wordpress_default_plugin

-# Option for an alt login - when an alt.path is set and an alt.config exists  
+# Option for an alt login - when an alt.path is set and an alt.config exists
 - name: Set alt path
  shell: wp {{ cli_args }} option set {{ WP_ALT_CONFIG }}  {{ WP_ALT_PATH }}
  when: WP_ALT_ENABLED

+# Enables or disables WordPress' debug mode
+- name: Set debug mode
+  shell: wp {{ cli_args }} config set WP_DEBUG  {{ WP_DEBUG }} --raw --type=constant
+
 - import_tasks: mu-plugins-cron.yml
  when: WP_MU_PLUGINS_ENABLED
-  
+
 - import_tasks: redis.yml
  when: WP_REDIS_ENABLED


--- a/wp-docker/Dockerfile
+++ b/wp-docker/Dockerfile
@@ -11,7 +11,7 @@ COPY wp.ini /usr/local/etc/php/conf.d/wp.ini
 # https://codex.wordpress.org/Editing_wp-config.php#Configure_Error_Logging
 COPY error-logging.ini /usr/local/etc/php/conf.d/error-logging.ini

-RUN a2enmod rewrite expires
+RUN a2enmod rewrite expires remoteip

 # Install phpredis
 RUN pecl install -o -f redis \
@@ -21,5 +21,13 @@ RUN pecl install -o -f redis \
 # Do not use a privileged port for Apache so it can run as non-root
 ENV PORT 8080
 ENV TLS_PORT 8443
+ENV TRUSTED_PROXY_IP 10.0.0.0/8
+
 RUN sed -i "s/\<80\>/$PORT/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
 RUN sed -i "s/\<443\>/$TLS_PORT/g" /etc/apache2/sites-available/default-ssl.conf /etc/apache2/ports.conf
+RUN sed "s/\tCustomLog \${APACHE_LOG_DIR}\/access.log combined/\tCustomLog \${APACHE_LOG_DIR}\/access.log remoteip/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default-ssl.conf
+
+RUN echo "RemoteIPTrustedProxy $TRUSTED_PROXY_IP" >> /etc/apache2/apache2.conf
+RUN echo "RemoteIPHeader X-Forwarded-For" >> /etc/apache2/apache2.conf
+# Add custom log format called "remoteip" that uses remoteip module
+RUN echo "LogFormat \"%a %l %u %t \\\"%r\\\" %>s %O\" remoteip" >> /etc/apache2/apache2.conf