You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled (#3341)
* Add set-real-ip-from in server block in stream context
* set real ip on when proxy-protocol is enabled
* Update README for proxy-protocol example
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Remove blank space
Co-authored-by: “shaun-nx” <“s.odonovan@f5.com”>
Co-authored-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Copy file name to clipboardExpand all lines: examples/shared-examples/proxy-protocol/README.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,7 @@
1
1
# PROXY Protocol
2
2
3
3
Proxies and load balancers, such as HAProxy or ELB, can pass the client's information (the IP address and the port) to the next proxy or load balancer via the PROXY Protocol. To enable NGINX Ingress Controller to receive that information, use the `proxy-protocol` ConfigMaps configuration key as well as the `real-ip-header` and the `set-real-ip-from` keys. Once you enable the PROXY Protocol, it is enabled for every Ingress and VirtualServer resource.
4
+
**NOTE** TransportServer resource supports PROXY Protocol only when TLS Passthrough is enabled for the Ingress Controller.
Additionally, you must configure the following keys:
13
14
***real-ip-header**: Set its value to `proxy_protocol`.
14
-
***set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
15
+
***set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See [set-real-ip-from](https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
15
16
16
17
## Example
17
18
18
-
In the example below we configure the PROXY Protocol via a ConfigMaps resource. The IP address of the proxy which is in front of the Ingress Controller is `192.168.192.168`.
19
+
In the example below we configure the PROXY Protocol via a ConfigMaps resource. `set-real-ip-from` is set to `192.168.0.0/16`. This is the CIDR range of the proxy that sits in front of the Ingress Controller in this example. You can set this to `0.0.0.0/0` to trust all IPs.
20
+
After we create the ConfigMaps resource, the client's IP address is available via the `$remote_addr` variable in the NGINX configuration.
21
+
By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header.
22
+
23
+
The default log format for NGINX is `'$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'`
19
24
20
25
```yaml
21
26
kind: ConfigMap
@@ -25,6 +30,5 @@ metadata:
25
30
data:
26
31
proxy-protocol: "True"
27
32
real-ip-header: "proxy_protocol"
28
-
set-real-ip-from: "192.168.192.168"
33
+
set-real-ip-from: "192.168.0.0/16"
29
34
```
30
-
After we create the ConfigMaps resource, in the NGINX configuration the client's IP address is available via the `$remote_addr` variable. By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header.
![pre-commit-ci[bot]](https://avatars.githubusercontent.com/in/68672?v=4&size=40){kind=avatar}
0 commit comments