From 07e7139b79e2b66ddf3766c60ce2b8e2c01e1db1 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 31 Oct 2019 11:18:21 +0100
Subject: [PATCH] simplesaml virtualhost: set the real client ip address when
 behind a load balancer.

---
 library/roles/simplesaml/templates/nginx-virthost.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/library/roles/simplesaml/templates/nginx-virthost.conf b/library/roles/simplesaml/templates/nginx-virthost.conf
index 79b76af2..01f4f55f 100644
--- a/library/roles/simplesaml/templates/nginx-virthost.conf
+++ b/library/roles/simplesaml/templates/nginx-virthost.conf
@@ -28,6 +28,14 @@ server {
     include /etc/nginx/snippets/nginx-server-ssl.conf;
     server_tokens off;
     
+    {% if haproxy_ips is defined %}
+    # We are behind haproxy
+    {% for ip in haproxy_ips %}
+    set_real_ip_from {{ ip }};
+    {% endfor %}
+    real_ip_header X-Forwarded-For;
+    {% endif %}
+
     # Add headers to serve security related headers
     # Before enabling Strict-Transport-Security headers please read into this
     # topic first.