Ingress-nginx: Whitelisting by remote_addr, not by $the_real_ip (X-Forwarded-For)

Created on 26 Mar 2018 · 31Comments · Source: kubernetes/ingress-nginx

Is this a BUG REPORT or FEATURE REQUEST?: FEATURE REQUEST

NGINX Ingress controller version: 0.11.0

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-09T21:51:06Z", GoVersion:"go1.9.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.5+coreos.0", GitCommit:"0d082e389e1f4311dc5d225eb77f9688c50d340a", GitTreeState:"clean", BuildDate:"2018-03-21T21:10:44Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

Cloud provider or hardware configuration: Bare-metal (5 dedicated servers)
OS (e.g. from /etc/os-release):

NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Kernel (e.g. uname -a):

Linux dropkube1 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

What happened:
I need to whitelist my nginx ingress with CloudFlare IP ranges and simultaneously use proxy-real-ip-cidr + forwarded-for-header: "cf-connecting-ip" for retrieving real client's ip address. How can I do this?
At this moment i can whitelist only by $the_real_ip, which is actually a X-Forwarded-For header or forwarded-for-header setting from ConfigMap (for me it's a cf-connecting-ip)

map $http_cf_connecting_ip $the_real_ip {

    default          $remote_addr;

}

lifecyclrotten

Source

maxpain

👍3

Most helpful comment

I need ability to allow traffic from CDN (not only CloudFlare) and disallow all other traffic. The same time I need to resolve end-user IP from X-Forwarded-For (or CF-Connecting-IP) header to see it in ingress logs and applications.

Simple whitelist dont work because it use client ip which overwritten by forwarded-for-header.

apolovov on 1 Apr 2018

👍6

All 31 comments

@Maxpain177 you can do that using forwarded-for-header: CF-Connecting-IP in the configuration configmap

aledbf on 26 Mar 2018

It will be cool, if you add the ability to change $the_real_ip to another header (e.g. $remote_addr) at this part:

geo $the_real_ip $deny_tpNsjYzYpsBМMxsfPXOCshLDuMwCsaZP {
        default 1;

        103.21.244.0/22 0;
        103.22.200.0/22 0;
        103.31.4.0/22 0;
        104.16.0.0/12 0;
        108.162.192.0/18 0;
        131.0.72.0/22 0;
        141.101.64.0/18 0;
        162.158.0.0/15 0;
        172.64.0.0/13 0;
        173.245.48.0/20 0;
        188.114.96.0/20 0;
        190.93.240.0/20 0;
        197.234.240.0/22 0;
        198.41.128.0/17 0;
    }

maxpain on 26 Mar 2018

👍1

@aledbf, I'm already using forwarded-for-header: CF-Connecting-IP and it's change $the_real_ip, which is used in geo nginx's directive for whitelisting. I need to change $the_real_ip in geo directive to $remote_addr.

maxpain on 26 Mar 2018

Simple whitelist dont work because it use client ip which overwritten by forwarded-for-header.

apolovov on 1 Apr 2018

👍6

Any updates?

maxpain on 5 Apr 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 4 Jul 2018

Yes any updates? Please don't close this issue.

victorboissiere on 5 Jul 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 4 Aug 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 3 Sep 2018

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot on 3 Sep 2018

/reopen

maxpain on 3 Sep 2018

@Maxpain177: Reopening this issue.

In response to this:

/reopen

k8s-ci-robot on 3 Sep 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 3 Oct 2018

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

k8s-ci-robot on 3 Oct 2018

/reopen

maxpain on 3 Oct 2018

@Maxpain177: Reopening this issue.

In response to this:

/reopen

k8s-ci-robot on 3 Oct 2018

I was able to achieve a similar use case using the following ConfigMap data on NGINX Ingress Controller v0.17.1:

http-snippet: |
    map $realip_remote_addr $deny_sidedoor {
        default 1;
        <load balancer IP> 0;
    }
server-snippet: |
    if ($deny_sidedoor) { return 403; }

jdanlewis on 17 Oct 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 16 Nov 2018

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

k8s-ci-robot on 16 Nov 2018

/reopen

sentanos on 23 Jul 2019

👍1

@sentanos: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

k8s-ci-robot on 23 Jul 2019

/reopen

maxpain on 23 Jul 2019

@Maxpain177: Reopened this issue.

In response to this:

/reopen

k8s-ci-robot on 23 Jul 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 22 Aug 2019

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

k8s-ci-robot on 22 Aug 2019

This issue is still unresolved and unanswered with an appropriate workaround. Changing the x forwarded for reference will break downstream application behaviour that needs the actual real IP - we need a way to whitelist based on source IP instead of real IP while maintaining the x-forwarded-for header.