Fix full XFF with PROXY #1618
Merged
Fix full XFF with PROXY #1618
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-ci-robot
added
the
size/XS
maxlaverse
force-pushed
the
fix_fullforwardedfor_with_useproxy
branch
from
ca00d04
to
b85055a
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@maxlaverse thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
The PR #1489 added a new ConfigMap option (
compute-full-forwarded-for) that allows us to compute a fullX-Forwarded-Forheader as described in https://tools.ietf.org/html/rfc7239, section 5.2. With this option enabled, the Nginx Ingress adds the remote IP to the list of IPs (empty or not) of theX-Forwarded-Forheader (header name configurable). This is fine for requests proxied using the HTTP protocol.When using the PROXY protocol to forward the request to the Nginx Ingress (with
use-proxy-protocol=truein the Ingress Controller ConfigMap), with the current implementation the remote IP is added to the list, which is the L4 proxy IP. As discussed in #1489, this is not the expected behavior as:X-Forwarded-ForheaderThis PR will change the behavior of the Ingress when
compute-full-forwarded-foranduse-proxy-protocolare set to true, and adds the client IP as sent in the PROXY protocol to theX-Forwarded-Forheader.Example with
compute-full-forwarded-forenabledWith
use-proxy-protocol=false, for a client (ip 1.2.3.4) that makes a request to a L7 load-balancer (ip 10.0.0.1) in front of the Ingress, theX-Forwarded-Forreceived by the back-end is1.2.3.4, 10.0.0.1(unchanged)With
use-proxy-protocol=true, for a client (ip 1.2.3.4) that makes a request to a L4 load-balancer (ip 10.0.0.1) in front of the Ingress, theX-Forwarded-Forreceived by the back-end would be1.2.3.4with this PR. It would have been10.0.0.1without.Special notes for your reviewer:
I used HAProxy in front of the Ingress to test the behavior with the PROXY protocol. I can post the configuration and yaml file if needed.