Feature Request: Preserve Source IP

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps

MIT License

371 stars 29 forks source link

Feature Request: Preserve Source IP #726

Open passarela opened 1 year ago

passarela commented 1 year ago

Is your feature request related to a problem? Please describe.

When receiving requests in my container, I cannot know which are the IP's of origin.

Describe the solution you'd like.

Through the Ingress settings, Enable to keep the source IP.

Describe alternatives you've considered.
I installed TCPDUMP to collect incoming requests in my container, however as it is behind an Azure LoadBalancer or source IP it is not preserved.

I expect similar behavior when setting externalTrafficPolicy: Local on a Kubernetes LoadBalancer.

Additional context.

ahmelsayed commented 1 year ago

For http apps, you can use proxy protocol (i.e XFF headers) for the source IP as observed by the proxy. See for nginx or haproxy or asp.net

passarela commented 1 year ago

Para aplicativos http, você pode usar o protocolo proxy (ou seja, cabeçalhos XFF) para o IP de origem conforme observado pelo proxy. Consulte nginx ou haproxy ou asp.net

Yes, I'm aware of the XFF header, but when followed with Kubernetes, the Loadbalancer needs to be set to externalTrafficPolicy: Local.

https://techcommunity.microsoft.com/t5/fasttrack-for-azure/how-client-source-ip-preservation-works-for-loadbalancer/ba-p/3033722

ahmelsayed commented 1 year ago

That's for the loadbalancer target, which in ACA case is a proxy that sets that information in XFF headers.

passarela commented 1 year ago

That's for the loadbalancer target, which in ACA case is a proxy that sets that information in XFF headers.

Perfect, I created an application to validate and I was successful in obtaining IP through XFF.

Another question came to me,

It is not necessary to preserve IP for the application, but to analyze TCP/HTTP traffic with TCPDUMP or as is already possible in application services in Azure. It would be possible?

alanta commented 1 year ago

XFF headers work for HTTP/HTTPS but not for other TCP services. For example, I'm working on a app that receives messages over SMTP. This requires the application to be able to get the client IP to perform further checks before accepting incoming messages.

codylittle commented 1 year ago

Since envoy is used, the support for Proxy Protocol (envoy.transport_sockets.upstream_proxy_protocol) would be great. Currently the lack of source IP preservation on TCP workloads is quite the blocker for us.

dwgreen1 commented 2 months ago

I am also interested in this feature, fwiw.