NLB with NGINX Ingress Controller is overwriting client IP, how to retain actual client IP

0

I have an EKS setup with some web applications/websites served by pods which have Nginx Ingress Controller with NLB for TLS termination. Problem is that the logs on some applications show ips of EKS Worker Nodes, instead of retaining the original requester IP. Would like to retain them for further processing of requests.

Was Trying with this digital Ocean Doc, https://docs.digitalocean.com/support/how-do-i-enable-proxy-protocol-when-my-load-balancer-sends-requests-to-the-nginx-ingress-controller/ by setting configmap variable as:- use-proxy-protocol: "true" but it impaired the system, untill rolledback.

asked 3 months ago485 views
1 Answer
2
Accepted Answer

Hi,

To make it work, you need to have proxy protocol enabled on your NLB and have the appropriate configuration in ingress-nginx.

Here is an example of ingress-nginx, it expects that you have aws-load-balancer controller installed in your cluster.

controller:
  config:
    use-proxy-protocol: "true"
    real-ip-header: "proxy_protocol"
    use-forwarded-headers: "true"
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp

It's only relevant parts, and there are more options to configure.

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed a month ago
  • This worked like a charm, Thanks Dmytro Sirant.

    Just to Add, my nginx ingress controller was using configmap so following was added to the DATA Part:

    data: allow-snippet-annotations: "true" real-ip-header: proxy_protocol use-forwarded-headers: "true" use-proxy-protocol: "true"

    After which i needed to update my NLB setting. Since it was deployed through an EKS service Object, updating annotations enabled the proxy protocol:

    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'

    The Order in which these things were updated is needed, and also During this exercise I observed the TLS termination to Fail for couple of minutes. So just a headsup for anyone who is applying the above with Live Traffic on workloads.

    Just to reiterate, your answer is precisely what was needed. Thanks Again Dmytro.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions