Service is seeing the IP address from the ingress controller instead of client IPs

[jokoso]

This can be observed by looking at the log from the pod.

I would like client IP addresses to be observable from the Nextcloud service, e.g. so it can throttle login attempts properly.

I'm using ingress-nginx as my k8s cluster ingress controller and it sets the appropriate headers automatically. However, the apache2 config file /etc/apache2/conf-available/remoteip.conf of the web server on the pod/container is configured as follows:

RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16

which is not bad, but I had to change mine to something like:

RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 10.0.0.0/8
RemoteIPInternalProxy 172.16.0.0/12
RemoteIPInternalProxy 192.168.0.0/16

for client IPs to be accepted by apache2 and thus the Nextcloud service.

It would be really nice to be able to configure the contents of this file in values.yaml if necessary.

[vasanthaganeshk]

@jokoso, what load balancer are you using? Are you able to see your source IP in ingress logs?

[vasanthaganeshk]

@jokoso, try adding this to your values.yaml, you might want to adjust the IP addresses:

  configs:
    proxy.config.php: |-
      <?php
      $CONFIG = array (
        'trusted_proxies' => array(
          0 => '127.0.0.1',
          1 => '10.0.0.0/8',
        ),
        'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
      );

[jokoso]

I'm using metallb and yup. I already have the trusted_proxies part set to my pod network CIDR.

[sgissi]

I have the same problem, the pod logs are showing the proxy IP instead of the real client. The reason is that my clients are in the local network with private IP addresses and that is not supported on RemoteIPTrustedProxy, only on RemoteIPInternalProxy. Setting trusted_proxies on Nextcloud configuration doesn't help as access/error logs are generated by Apache.

The current configuration is a reasonable default, you can overlay an updated configuration file by creating a new external ConfigMap and then map the specific file over:

ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: nextcloud-apache-config
  namespace: apps
data:
  remoteip.conf: |-
    RemoteIPHeader X-Real-IP
    RemoteIPInternalProxy 10.0.0.0/8

values.yaml:

nextcloud:
  extraVolumes:
    - name: nextcloud-apache-config
      configMap:
        defaultMode: 420
        name: nextcloud-apache-config
  extraVolumeMounts:
    - mountPath: /etc/apache2/conf-enabled/remoteip.conf
      name: nextcloud-apache-config 
      subPath: remoteip.conf

I hope it helps!

[jokoso]

You're absolutely right, @sgissi.

The current configuration is a reasonable default, you can overlay an updated configuration file by creating a new external ConfigMap and then map the specific file over: ...

Thanks for the hint, I think that's an elegant solution. 👌 Closing the issue.

[christensenjairus]

Absolutely perfect solution, @sgissi 👌