Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled

examples/shared-examples/proxy-protocol/README.md

@@ -1,6 +1,7 @@
 # PROXY Protocol
 
 Proxies and load balancers, such as HAProxy or ELB, can pass the client's information (the IP address and the port) to the next proxy or load balancer via the PROXY Protocol. To enable NGINX Ingress Controller to receive that information, use the `proxy-protocol` ConfigMaps configuration key as well as the `real-ip-header` and the `set-real-ip-from` keys. Once you enable the PROXY Protocol, it is enabled for every Ingress and VirtualServer resource.
+**NOTE** TransportServer resource supports PROXY Protocol only when TLS Passthrough is enabled for the Ingress Controller.
 
 ## Syntax
 
@@ -11,11 +12,15 @@ proxy-protocol: "True | False"
 
 Additionally, you must configure the following keys:
 * **real-ip-header**: Set its value to `proxy_protocol`.
-* **set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
+* **set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See [set-real-ip-from](https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
 
 ## Example
 
-In the example below we configure the PROXY Protocol via a ConfigMaps resource. The IP address of the proxy which is in front of the Ingress Controller is `192.168.192.168`.
+In the example below we configure the PROXY Protocol via a ConfigMaps resource. `set-real-ip-from` is set to `192.168.0.0/16`. This is the CIDR range of the proxy that sits in front of the Ingress Controller in this example. You can set this to `0.0.0.0/0` to trust all IPs.
+After we create the ConfigMaps resource, the client's IP address is available via the `$remote_addr` variable in the NGINX configuration.
+By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header.
+
+The default log format for NGINX is `'$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'`
 
 ```yaml
 kind: ConfigMap
@@ -25,6 +30,5 @@ metadata:
 data:
   proxy-protocol: "True"
   real-ip-header: "proxy_protocol"
-  set-real-ip-from: "192.168.192.168"
+  set-real-ip-from: "192.168.0.0/16"
 ```
-After we create the ConfigMaps resource, in the NGINX configuration the client's IP address is available via the `$remote_addr` variable. By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header.

internal/configs/version1/nginx-plus.tmpl

@@ -308,6 +308,11 @@ stream {
         listen 443{{if .ProxyProtocol}} proxy_protocol{{end}};
         {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
+        {{if .ProxyProtocol}}
+        {{range $setRealIPFrom := .SetRealIPFrom}}
+        set_real_ip_from {{$setRealIPFrom}};{{end}}
+        {{end}}
+
         ssl_preread on;
 
         proxy_protocol on;

internal/configs/version1/nginx.tmpl

@@ -242,6 +242,12 @@ stream {
         listen 443{{if .ProxyProtocol}} proxy_protocol{{end}};
         {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
+
+        {{if .ProxyProtocol}}
+        {{range $setRealIPFrom := .SetRealIPFrom}}
+        set_real_ip_from {{$setRealIPFrom}};{{end}}
+        {{end}}
+
         ssl_preread on;
 
         proxy_protocol on;