I'm having some trouble getting the correct IP headers. I am using the following proxy setup:
Cloudflare -> Amazon NLB -> Ingress-nginx (k8s)
my ingress-nginx has the following config:
config:
use-forwarded-headers: "true"
real-ip-header: "CF-Connecting-IP"
forwarded-for-header: "CF-Connecting-IP"
set-real-ip-from: "0.0.0.0/0"
proxy-buffer-size: "16k"
proxy-buffers-number: "8"For some reason the x-real-ip header is correct, but the x-forwarded-for header is not:
REMOTE ADDR: 127.0.0.1
X FORWARDED FOR: 10.0.102.38 <- Wrong
X-REAL-IP: xx.xxx.xxx.xxx <- Correct
The ingress-nginx loadbalancer (NLB) has:
External Traffic Policy: Localas per the doc. And the following annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: 3600
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: *
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: xxxx
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-type: nlbTo be on the safe side I also enabled ExternalTrafficPolicy: Local on the app's service but to no avail.
Enabling use-proxy-protocol: "true" in the config breaks the app (probably because of CloudFlare).
2021-09-19 12:42:17
" while reading PROXY protocol, client: x.x.x.x, server: 0.0.0.0:80Any help would be appreciated.
Cloudflare supports the X-Forwarded-For header, so you could try configuring:
config:
[...]
forwarded-for-header: "X-Forwarded-For"You seem to be able of reading CF-Connecting-IP correctly in your setup, so X-Forwarded-For should also be available in the request coming from Cloudflare.
For more information you can refer to the support article.