Open sathieu opened 2 days ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
The description in docs says this
If use-forwarded-headers or use-proxy-protocol is enabled, proxy-real-ip-cidr defines the default IP/network address of your external load balancer. Can be a comma-separated list of CIDR blocks. default: "0.0.0.0/0"
so I had assumed until now that its just the CIDR of the external-LB. And the reason for configuring this was to trust only and only that specific external-LB, for sending the valid X-Forwarded-* info to the controller and the backend .
I am ok to trust only LB set in proxy-real-ip-cidr
, the problem is that this changes the $proxy_add_x_forwarded_for
to a strange value (with duplicated ip).
I don't see any use for this.
The resulting X-Forwarded-For header should be <client-ip> <lb-ip>
instead.
Thanks for comments.
Your comments suggest a authoritative info needs to become available here as a comment. There are not many resources available here on github. There are at least some more than here on the Kubernetes slack.
I myself am seeing my limited knowledge on this. Because when you say
and testing from 10.20.30.40 with:
I assume you had a shell on the host, whose default route or own ipaddress was 10.20.30.40 . Or I could be confused. I usually put metallb in a Kind cluster to simulate a LB with external-IP but now I am not even sure if I can use that for test here because metallb is not L7 LB.
What happened:
When setting :
and testing from 10.20.30.40 with:
The following variables will be defined:
What you expected to happen:
The following variables to be defined:
Other tests
We tried the following:
proxy-real-ip-cidr: 10.20.30.40
enable-real-ip: true
use-forwarded-headers: true
compute-full-forwarded-for: true
$remote_addr
$proxy_add_x_forwarded_for
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.): v1.11.2