Ingress-nginx: Cloudflare & Proxy Protocol
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): no
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): cloudflare, proxy_protocol
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Feature Request
NGINX Ingress controller version:
0.26.1
Kubernetes version (use kubectl version):
1.12.10-eks
Environment:
- Cloud provider or hardware configuration: AWS
What happened:
We like Cloudflare. And we have to use proxy protocol because we use ELB on AWS.
The problem is proxy_protocol IP equals Cloudflare proxy server's IP and this can be fixed only by changing default nginx.tmpl (example https://github.com/kubernetes/ingress-nginx/issues/3529#issuecomment-444941817). This is a headache because nginx.tmpl is changed often.
What you expected to happen:
It would be great if I could fix this using configmap. It doesn't look as if it is a big deal, I'd like to confer about.
How to reproduce it (as minimally and precisely as possible):
Cloudflare + ELB.
Anything else we need to know:
okgolove
All 13 comments
@okgolove using the next annotation should solve the issue
nginx.ingress.kubernetes.io/server-snippet: |
real_ip_header CF-Connecting-IP;
aledbf
on 31 Oct 2019
@aledbf hmmm. I haven't thought about something like this.
I need to test it.
As far as I understand it can be used with server-snippet to set it up globally. Am I right?
okgolove
on 31 Oct 2019
As far as I understand it can be used with server-snippet to set it up globally. Am I right?
Correct.
aledbf
on 31 Oct 2019
It seems it works for $remote_addr.
What about $the_real_ip? For example, whitelist functionality uses $the_real_ip.
okgolove
on 31 Oct 2019
What about $the_real_ip?
That was removed in 0.26, only $remote_addr exists and is used in the whitelist functionality (https://github.com/kubernetes/ingress-nginx/pull/4557)
aledbf
on 31 Oct 2019
Thank you.
It seems I got it working.
The config:
````
proxy-real-ip-cidr: "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,10.0.0.0/8"
use-proxy-protocol: "True"
server-snippet: |
real_ip_header CF-Connecting-IP;
okgolove
on 31 Oct 2019
Do you need Cloudflare Enterprise or higher plan to get this working?
arvtiwar
on 19 May 2020
@okgolove can you share more info?
Do you need Cloudflare Enterprise or higher plan to get this working?
arvtiwar
on 19 May 2020
Hi @arvtiwar!
No, it doesn't depend on a plan type.
The header (CF-Connecting-IP) always exists if a host is behind Cloudflare.
okgolove
on 19 May 2020
Thank you very much
arvtiwar
on 19 May 2020
one more question - the above config is part of which config map?
ingress-controller-leader-nginx
ingress-nginx-controller
nginx-configuration
arvtiwar
on 19 May 2020
This is ingress-nginx-controller ConfigMap.
okgolove
on 19 May 2020
thanks
arvtiwar
on 19 May 2020
Related issues
boazj
路
3Comments
bashofmann
路
3Comments
whereisaaron
路
3Comments
lachlancooper
路
3Comments
cehoffman
路
3Comments
Most helpful comment
Thank you.
It seems I got it working.
The config:
````
proxy-real-ip-cidr: "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,10.0.0.0/8"
use-proxy-protocol: "True"
server-snippet: |
real_ip_header CF-Connecting-IP;