Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Source IP address is lost with nginx-ingress, istio, others, behind a GCE Ingress #1219

Closed
gustavovalverde opened this issue Aug 15, 2020 · 1 comment

Comments

@gustavovalverde
Copy link

I've been working with some setups in GKE using GLB (through the GCE Ingress ) + Nginx Ingress. I finally got this working with HTTP --> HTTPS redirection + Cert Manager + NEGs + BackendConfig (custom healthcheck).

Now my problem is the Source IP. I've tested a bunch of combinations and got from getting 127.0.0.1. to having the internal Node IP, but not the source IP from the client.

Even setting-up the nginx-ingress with this configurations does not solves the problem. On istio is a more complex configuration.

controller:
  config:
    use-forward-headers: "true"
    proxy-real-ip-cidr: "130.211.0.0/22,35.191.0.0/16,[EXTERNAL_LB_IP]/32"
    compute-full-forward-for: "true"
    # use-proxy-protocol: "true"

The use-protocol-proxy is commented (even though this is supposed to fix the issue, as a last resource) based on known issues:
#1002

This issue is kind of famous as it's all over the internet, with old issues like this ones:
jetstack/kube-lego#57
kubernetes/ingress-nginx#3431
kubernetes/ingress-nginx#1815

Not having the Source IP address of the clients breaks a bunch of use cases and traceability. And there's no official documentation to workaround this issue.

@gustavovalverde
Copy link
Author

Solved by using this configuration; as enable-real-ip was not available a few weeks ago:

  config:
    enable-real-ip: "true"
    use-forwarded-headers: "true"
    proxy-real-ip-cidr: "130.211.0.0/22,35.191.0.0/[L7-LB_EXTERNAL_IP]/32"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant