Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to set proxy-real-ip-cidr #160

Closed
InsOpDe opened this issue Mar 1, 2021 · 3 comments
Closed

How to set proxy-real-ip-cidr #160

InsOpDe opened this issue Mar 1, 2021 · 3 comments

Comments

@InsOpDe
Copy link

InsOpDe commented Mar 1, 2021

Im using hetzner loadbalancers with nginx-ingress-controller with 10.42.0.0/24 as network with following config:

  config:
    use-proxy-protocol: "true"
    proxy-real-ip-cidr: '10.42.0.0/24'

and

    annotations:
      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
      load-balancer.hetzner.cloud/name: "external-lb"
      load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
      load-balancer.hetzner.cloud/location: "ngb1"

Now my requests include the real-ip headers. Thats a good thing!

But now, if I want to make a request from inside the network:

curl <loadbalancer-ip> -Ls -o /dev/null --header "Host: some-ingress-url.example.com" -v

I get

*   Trying <loadbalancer-ip>:80...
* TCP_NODELAY set
* Connected to <loadbalancer-ip> port 80 (#0)
> GET / HTTP/1.1
> Host: some-ingress-url.example.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host <loadbalancer-ip> left intact

And nginx logs:

2021/03/01 16:06:16 [error] 2669#2669: *4565505 broken header: "GET / HTTP/1.1
Host: some-ingress-url.example.com
User-Agent: curl/7.68.0
Accept: */*

" while reading PROXY protocol, client: 10.42.2.195, server: 0.0.0.0:80

Now that sucks!

My limited understanding tells me that this is what proxy-real-ip-cidr is for. And I guess that hetzners loadbalancers does need this info, too. I tried utilizing load-balancer.hetzner.cloud/disable-private-ingress: "true" not entirely sure what that means but with no success.

I do not know whether this is by design, or whether my configuration is just wrong.

Workaround would be to use internal names like servicename.namespace.svc.cluster.local instead, but Im curious whether there is a better solution

@LKaemmerling
Copy link
Member

Hey, basically you encountered a "bug" within the kube proxy (kubernetes/kubernetes#66607). If you use the Load Balancer IP in-cluster the request will never reach the Load Balancer. Therefore we would recommend using the in cluster name or using the load-balancer.hetzner.cloud/hostname annotation.

@InsOpDe
Copy link
Author

InsOpDe commented Mar 3, 2021

perfect, this worked!

I just took some arbitrary hostname something.example.com for the annotation and it works now

@InsOpDe InsOpDe closed this as completed Mar 3, 2021
@EarthlingDavey
Copy link

EarthlingDavey commented May 14, 2021

config:
 use-proxy-protocol: "true"
annotations:
 service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
 load-balancer.hetzner.cloud/uses-proxyprotocol: "true"

Is this documented anywhere? I couldn't find it any reference in any docs. Thanks... load-balancer.hetzner.cloud/uses-proxyprotocol: "true" is a life saver 👊🏼✌️

lukasmetzner pushed a commit that referenced this issue Nov 26, 2024
<!-- section-start changelog -->
### Feature Highlights &amp; Upgrade Notes

#### Load Balancer IPs set to Private IPs

If networking support is enabled, the load balancer IPs are now
populated with the private IPs, unless the
`load-balancer.hetzner.cloud/disable-private-ingress` annotation is set
to `true`. Please make sure that you configured the annotation according
to your needs, for example if you are using `external-dns`.

#### Provided-By Label

We introduced a the label `instance.hetzner.cloud/provided-by`, which
will be automatically added to all **new** nodes. This label can have
the values `cloud` or `robot` to distinguish between our products. We
use this label in the csi-driver to ensure the daemonset is only running
on cloud nodes. We recommend to add this label to your existing nodes
with the appropriate value.

- `kubectl label node $CLOUD_NODE_NAME
instance.hetzner.cloud/provided-by=cloud`
- `kubectl label node $ROBOT_NODE_NAME
instance.hetzner.cloud/provided-by=robot`

#### Load Balancer IPMode Proxy

Kubernetes KEP-1860 added a new field to the Load Balancer Service
Status that allows us to mark if the IP address we add should be
considered as a Proxy (always send traffic here) and VIP (allow
optimization by keeping the traffic in the cluster).

Previously Kubernetes considered all IPs as VIP, which caused issues
when when the PROXY protocol was in use. We have previously recommended
to use the annotation `load-balancer.hetzner.cloud/hostname` to
workaround this problem.

We now set the new field to `Proxy` if the PROXY protocol is active so
the issue should no longer appear. If you only added the
`load-balancer.hetzner.cloud/hostname` annotation for this problem, you
can remove it after upgrading.

Further information:

- kubernetes/enhancements#1860
-
#160 (comment)

### Features

- **service**: Specify private ip for loadbalancer (#724)
- add support &amp; tests for Kubernetes 1.31 (#747)
- **helm**: allow setting extra pod volumes via chart values  (#744)
- **instance**: add label to distinguish servers from Cloud and Robot
(#764)
- emit event when robot server name and node name mismatch (#773)
- **load-balancer**: Set IPMode to &#34;Proxy&#34; if load balancer is
configured to use proxy protocol (#727) (#783)
- **routes**: emit warning if cluster cidr is misconfigured (#793)
- **load-balancer**: ignore nodes that don&#39;t use known provider IDs
(#780)
- drop tests for kubernetes v1.27 and v1.28

### Bug Fixes

- populate ingress private ip when disable-private-ingress is false
(#715)
- wrong version logged on startup (#729)
- invalid characters in label instance-type of robot servers (#770)
- no events are emitted as broadcaster has no sink configured (#774)

### Kubernetes Support

This version was tested with Kubernetes 1.29 - 1.31. Furthermore, we
dropped v1.27 and v1.28 support.

<!-- section-end changelog -->

---

<details>
<summary><h4>PR by <a
href="https://github.com/apricote/releaser-pleaser">releaser-pleaser</a>
🤖</h4></summary>

If you want to modify the proposed release, add you overrides here. You
can learn more about the options in the docs.

## Release Notes

### Prefix / Start

This will be added to the start of the release notes.

```rp-prefix
### Feature Highlights & Upgrade Notes

#### Load Balancer IPs set to Private IPs

If networking support is enabled, the load balancer IPs are now populated with the private IPs, unless the `load-balancer.hetzner.cloud/disable-private-ingress` annotation is set to `true`. Please make sure that you configured the annotation according to your needs, for example if you are using `external-dns`.

#### Provided-By Label

We introduced a the label `instance.hetzner.cloud/provided-by`, which will be automatically added to all **new** nodes. This label can have the values `cloud` or `robot` to distinguish between our products. We use this label in the csi-driver to ensure the daemonset is only running on cloud nodes. We recommend to add this label to your existing nodes with the appropriate value.

- `kubectl label node $CLOUD_NODE_NAME instance.hetzner.cloud/provided-by=cloud`
- `kubectl label node $ROBOT_NODE_NAME instance.hetzner.cloud/provided-by=robot`

#### Load Balancer IPMode Proxy

Kubernetes KEP-1860 added a new field to the Load Balancer Service Status that allows us to mark if the IP address we add should be considered as a Proxy (always send traffic here) and VIP (allow optimization by keeping the traffic in the cluster).

Previously Kubernetes considered all IPs as VIP, which caused issues when when the PROXY protocol was in use. We have previously recommended to use the annotation `load-balancer.hetzner.cloud/hostname` to workaround this problem.

We now set the new field to `Proxy` if the PROXY protocol is active so the issue should no longer appear. If you  only added the `load-balancer.hetzner.cloud/hostname` annotation for this problem, you can remove it after upgrading.

Further information:
- kubernetes/enhancements#1860
- #160 (comment)
```

### Suffix / End

This will be added to the end of the release notes.

```rp-suffix
### Kubernetes Support

This version was tested with Kubernetes 1.29 - 1.31. Furthermore, we dropped v1.27 and v1.28 support.
```

</details>

Co-authored-by: releaser-pleaser <>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants