Configuring Kubernetes Ingress Nginx to Preserve Client IP Address from Cloudflare Worker.

huangapple
go评论97阅读模式
英文:

Configuring Kubernetes Ingress Nginx to Preserve Client IP Address from Cloudflare Worker

问题

关于我的Kubernetes设置,我正在使用Nginx Ingress控制器。为了处理传入的请求,我利用Cloudflare worker与我的Kubernetes集群交互。该worker发送带有以下头部的请求:

X-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

在这个头部中:

xxx.xxx.xxx.xxx 代表真实IP地址。
xxx2.xxx2.xxx2.xxx2 代表Cloudflare worker的IP地址。

然而,通过检查Kubernetes集群中的Pod(使用tcpdump),我注意到接收到的头部如下:

X-Real-IP: xxx2.xxx2.xxx2.xxx2
X-Forwarded-For: xxx2.xxx2.xxx2.xxx2
X-Original-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

我想确保实际客户端IP地址(xxx.xxx.xxx.xxx)在Pod内通过X-Forwarded-For头部可用。我该如何实现这一点?

  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4.   name: demo-ingress2
  5.   annotations:
  6.     kubernetes.io/ingress.class: nginx
  7.     nginx.org/client-max-body-size: "100m"
  8.     nginx.org/proxy-connect-timeout: 300s
  9.     nginx.org/proxy-read-timeout: 300s
  10.     nginx.org/proxy-send-timeout: 300s
  11.     nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
  12.     nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
  13.     nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
  14. spec:
  15.   rules:
  16.     - host: test.com
  17.       http:
  18.         paths:
  19.           - pathType: Prefix
  20.             path: /
  21.             backend:
  22.               service:
  23.                 name: myservice
  24.                 port:
  25.                   number: xxxx
  26. ---
  27. apiVersion: v1
  28. kind: ConfigMap
  29. metadata:
  30.   labels:
  31.     app.kubernetes.io/name: ingress-nginx
  32.     app.kubernetes.io/part-of: ingress-nginx
  33.   name: nginx-configuration
  34.   namespace: default
  35. data:
  36.     use-forwarded-headers: "true"
  37.     compute-full-forwarded-for: "true"
  38.     use-proxy-protocol: "true"

(注意:我已经翻译了代码部分,其他部分已经按您要求翻译并返回。)

英文:

Regarding my Kubernetes setup, I am using the Nginx Ingress controller. To handle incoming requests, I utilize a Cloudflare worker to interact with my Kubernetes cluster. The worker sends a request with the following header:

X-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

In this header:

xxx.xxx.xxx.xxx represents the real IP address.
xxx2.xxx2.xxx2.xxx2 represents the Cloudflare worker IP address.

However, upon inspecting the pods inside the Kubernetes cluster (tcpdump), I notice that the headers received are as follows:

X-Real-IP: xxx2.xxx2.xxx2.xxx2
X-Forwarded-For: xxx2.xxx2.xxx2.xxx2
X-Original-Forwarded-For: xxx.xxx.xxx.xxx,xxx2.xxx2.xxx2.xxx2

I want to ensure that the actual client IP address (xxx.xxx.xxx.xxx) is available inside the pods by the X-Forwarded-For header. How can I achieve this?

  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4.   name: demo-ingress2
  5.   annotations:
  6.     kubernetes.io/ingress.class: nginx
  7.     nginx.org/client-max-body-size: "100m"
  8.     nginx.org/proxy-connect-timeout: 300s
  9.     nginx.org/proxy-read-timeout: 300s
  10.     nginx.org/proxy-send-timeout: 300s
  11.     nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
  12.     nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
  13.     nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
  14. spec:
  15.   rules:
  18.     - host: test.com
  19.       http:
  20.         paths:
  21.           - pathType: Prefix
  22.             path: /
  23.             backend:
  24.               service:
  25.                 name: myservice
  26.                 port:
  27.                   number: xxxx
  30. ---
  31. apiVersion: v1
  32. kind: ConfigMap
  33. metadata:
  34.   labels:
  35.     app.kubernetes.io/name: ingress-nginx
  36.     app.kubernetes.io/part-of: ingress-nginx
  37.   name: nginx-configuration
  38.   namespace: default
  39. data:
  40.     use-forwarded-headers: "true"
  41.     compute-full-forwarded-for: "true"
  42.     use-proxy-protocol: "true"

答案1

得分: 1

Here is the translated content:

找到答案:

您需要覆盖nginx配置文件,具体信息请参考https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/custom-template/。

或者使用以下配置映射:

  1. apiVersion: v1
  2. data:
  3.   allow-snippet-annotations: "true"
  4.   enable-real-ip: "true"
  5.   compute-full-forwarded-for: "true"
  6.   use-forwarded-headers: "true"
  7. kind: ConfigMap
  8. metadata:
  9.   labels:
  10.     app.kubernetes.io/component: controller
  11.     app.kubernetes.io/instance: ingress-nginx
  12.     app.kubernetes.io/name: ingress-nginx
  13.     app.kubernetes.io/part-of: ingress-nginx
  14.     app.kubernetes.io/version: 1.7.1
  15.   name: ingress-nginx-controller
  16.   namespace: ingress-nginx

请注意,这是关于如何配置nginx的信息。

英文:

Found the answer:

You need to override nginx conf file https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/custom-template/

Or have a config map like:

  1. apiVersion: v1
  2. data:
  3.   allow-snippet-annotations: "true"
  4.   enable-real-ip: "true"
  5.   compute-full-forwarded-for: "true"
  6.   use-forwarded-headers: "true"
  7. kind: ConfigMap
  8. metadata:
  9.   labels:
  10.     app.kubernetes.io/component: controller
  11.     app.kubernetes.io/instance: ingress-nginx
  12.     app.kubernetes.io/name: ingress-nginx
  13.     app.kubernetes.io/part-of: ingress-nginx
  14.     app.kubernetes.io/version: 1.7.1
  15.   name: ingress-nginx-controller
  16.   namespace: ingress-nginx

huangapple
  • 本文由 发表于 2023年8月5日 00:31:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76837736.html
  • kubernetes
  • nginx-ingress
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定