-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[nginx] Remote IP address not preserved with TLS in spite of externalTrafficPolicy: Local #1067
Comments
Hi, |
I am not using an additional HTTP load balancer in front of the nginx ingress controllers, so I cannot use the proxy protocol. EDIT: Adding that setting EDIT2: It turns out this is not a good solution and causes nginx to become unresponsive. See below for details. |
|
@rolftimmermans where are you running your cluster? what version of k8s? |
Our cluster is on version 1.7.2 at Google Cloud (GKE). |
@rolftimmermans how are you exposing the controller? Using a service type=Loadbalancer? |
Yes. Below is the configuration. Service with
The relevant ingress configuration:
|
Ok, so setting Nginx at some point may become confused and stops responding to requests properly. It will cause connection timeouts for lots of clients. Logs are full of the following type of entries:
|
Below are observations based on So it seems the following is the problem. This scenario happens
By default the following configuration is generated (irrelevant parts omitted). Note that the real IP address is parsed from the
Contrast this to the following scenario. If
So it seems there is no way to serve HTTP & HTTPS and log the source IP for HTTPS if there is no load balancer in front of the nginx ingress controller. Unfortunately I don't know why HTTPS traffic is proxied by golang. I imagine a different configuration would need to be generated for taking the source IP from HTTPS traffic – HTTPS source IP should apparently always use the PROXY protocol since this is how the golang proxy passes on the source IP. The HTTP traffic should be configured to use It seems this is a bug. I'd love to try to propose a patch, but I'm very unfamiliar with the principles behind the nginx controller (e.g.: why is HTTPS traffic proxied by the golang controller?). I hope this is useful for someone more familiar with the code base. Let me know if anyone needs more information. |
@rolftimmermans please use the image Edit: this image contains current master where the ssl-passthrough feature is behind a flag and by default it's disabled. |
This is required to enable ssl-passthrough. The golang proxy allows the pipe of the connection to the backend exposing the SSL certificate. The proxy protocol in port 442 is required to not lose the source IP address (internet -> go proxy -> nginx upstream) |
In GCP/GKE proxy protocol is available only in HTTPS |
Yes, this does seem to work fine. I can now see source addresses being correctly logged for both HTTP and HTTPS traffic. Excellent change, would love to see this in a stable(ish) release! |
Closing. Fixed in master |
@rolftimmermans Can you share your nginx service file? I'm facing the exact same issue currently. I'm directly exposing my nginx ingress service with type = loadbalancer, setting enable-proxy-protocl doesn't work for me and I see the same broken header issue. |
@rushabhnagda11 I don't understand exactly what you mean with "nginx service file". My (simplified) configuration is listed here. Bottom line is that you should NOT set Instead, upgrade to 0.9.0-beta.12. |
@rolftimmermans I've upgraded to 0.9.0-beta.12, however the ip being forwarded to my application server in both headers is the private ip of the machine in which the nginx pod is running.
I'm running 1.5.x, so I've enabled preserving source ip throug beta annotations. Update : Setting this annotation : Makes nginx go unresponsive. Moment I remove it, everything seems fine. By fine I mean that traffic is routed to my application pod. Ip is still incorrect. |
Is there any other info/config that I can provide? seems like a solved issue from ingress side. |
@rushabhnagda11 what k8s are you using? where are you running the cluster? how the traffic reaches the cluster? |
k8s version -> k8s 1.5.6, Seems like there is a public subnet that they've given me. And from there the traffic reaches my specific public IP. |
On further debugging it looks like in the --configmap option i've specified the real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from 10.112.98.0/24; However nginx logs still show the follwing Shouldn't 10.112.98.42 be omitted from the x-forwarded-for chain? Update 1: If I specify the x-forwarder-for header in my request as say 1.2.3.4, then the ip is being logged as 1.2.3.4 through nginx. Does this point to an issue from my client? Update 2: I logged into my nginx pod using kubectl exec -it and kept playing around with the log_format line in Observations: Which brings me to more fundamental questions :
@aledbf Just checking if this info helps |
Had a chat with support and this seems like this is an issue from bluemix side. Currently there is no way to fetch client ip addresses |
@rushabhnagda11 is there any progress with this issue? have you find a way to get the client ip? |
Hi there, Load balancer does not support PROXY protocol, so leaving this disabled i get: Client is always 10.244.x.x (internal Ip) or if I set: externalTrafficPolicy: Local in the Ingress Service, it shows an IP of my LoadBalancer (looks like an internal ip within Loadbalancer network but its not the real external IP of client) from DigitalOcean with Manual configuration with TCP Passthrough seperated for HTTPS and HTTP. I've tried every image including: nginx-ingress-controller:0.9.0-beta.11 and quay.io/aledbf/nginx-ingress-controller:0.191 as well as the latest images on both Repos and the results are always the same. Note: I get the Real client IP in HTTP mode. Can anyone help? |
@attiinfante, see my solution in #808 (comment) |
In case somebody is still searching a solution: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
Please discuss on slack at kubernetes.slack.com in the Digitalocean-k8s
channel.
Thanks,
; Long
…On Wed, 11 Aug, 2021, 1:17 PM dharmendra kariya, ***@***.***> wrote:
https://www.yellowduck.be/posts/k8s-getting-real-ip-digital-ocean/
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1067 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWUNF4QYDE2N6YNOKMTT4ITKNANCNFSM4DVQXLEQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>
.
|
I am using Kubernetes 1.7.2 with
externalTrafficPolicy: Local
for the nginx loadbalancer service.I am running the nginx controller as a daemonset on select nodes.
Requests via HTTP are correctly logged with the remote IP address:
89.200.35.217 - [89.200.35.217] - - [03/Aug/2017:09:24:24 +0000] "GET / HTTP/1.1" 301 5 "-" "curl/7.53.1" 83 0.002 [upstream-default-backend] 10.64.80.50:80 5 0.002 301
However, requests over HTTPS always have the remote IP address set to 127.0.0.1:
127.0.0.1 - [127.0.0.1] - - [03/Aug/2017:09:24:42 +0000] "GET / HTTP/1.1" 301 5 "-" "-" 37 0.003 [upstream-default-backend] 10.64.80.50:80 5 0.003 301
I am using the image
gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
The text was updated successfully, but these errors were encountered: