2023年8月5日 00:31:56go评论67阅读模式

英文:

Configuring Kubernetes Ingress Nginx to Preserve Client IP Address from Cloudflare Worker

问题

关于我的Kubernetes设置，我正在使用Nginx Ingress控制器。为了处理传入的请求，我利用Cloudflare worker与我的Kubernetes集群交互。该worker发送带有以下头部的请求：

X-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

在这个头部中：

xxx.xxx.xxx.xxx 代表真实IP地址。
xxx2.xxx2.xxx2.xxx2 代表Cloudflare worker的IP地址。

然而，通过检查Kubernetes集群中的Pod（使用tcpdump），我注意到接收到的头部如下：

X-Real-IP: xxx2.xxx2.xxx2.xxx2
X-Forwarded-For: xxx2.xxx2.xxx2.xxx2
X-Original-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

我想确保实际客户端IP地址（xxx.xxx.xxx.xxx）在Pod内通过X-Forwarded-For头部可用。我该如何实现这一点？

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-ingress2
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.org/client-max-body-size: "100m"
    nginx.org/proxy-connect-timeout: 300s
    nginx.org/proxy-read-timeout: 300s
    nginx.org/proxy-send-timeout: 300s
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
  rules:
    - host: test.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: myservice
                port:
                  number: xxxx
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-configuration
  namespace: default
data:
    use-forwarded-headers: "true"
    compute-full-forwarded-for: "true"
    use-proxy-protocol: "true"

（注意：我已经翻译了代码部分，其他部分已经按您要求翻译并返回。）

英文:

Regarding my Kubernetes setup, I am using the Nginx Ingress controller. To handle incoming requests, I utilize a Cloudflare worker to interact with my Kubernetes cluster. The worker sends a request with the following header:

X-Forwarded-For: xxx.xxx.xxx.xxx, xxx2.xxx2.xxx2.xxx2

In this header:

xxx.xxx.xxx.xxx represents the real IP address.
xxx2.xxx2.xxx2.xxx2 represents the Cloudflare worker IP address.

However, upon inspecting the pods inside the Kubernetes cluster (tcpdump), I notice that the headers received are as follows:

X-Real-IP: xxx2.xxx2.xxx2.xxx2
X-Forwarded-For: xxx2.xxx2.xxx2.xxx2
X-Original-Forwarded-For: xxx.xxx.xxx.xxx,xxx2.xxx2.xxx2.xxx2

I want to ensure that the actual client IP address (xxx.xxx.xxx.xxx) is available inside the pods by the X-Forwarded-For header. How can I achieve this?

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-ingress2
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.org/client-max-body-size: &quot;100m&quot;
    nginx.org/proxy-connect-timeout: 300s
    nginx.org/proxy-read-timeout: 300s
    nginx.org/proxy-send-timeout: 300s
    nginx.ingress.kubernetes.io/proxy-connect-timeout: &quot;300&quot;
    nginx.ingress.kubernetes.io/proxy-read-timeout: &quot;300&quot;
    nginx.ingress.kubernetes.io/proxy-send-timeout: &quot;300&quot;
spec:
  rules:


    - host: test.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: myservice
                port:
                  number: xxxx


---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-configuration
  namespace: default
data:
    use-forwarded-headers: &quot;true&quot;
    compute-full-forwarded-for: &quot;true&quot;
    use-proxy-protocol: &quot;true&quot;

答案1

得分: 1

Here is the translated content:

找到答案：

您需要覆盖nginx配置文件，具体信息请参考https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/custom-template/。

或者使用以下配置映射：

apiVersion: v1
data:
  allow-snippet-annotations: "true"
  enable-real-ip: "true"
  compute-full-forwarded-for: "true"
  use-forwarded-headers: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.7.1
  name: ingress-nginx-controller
  namespace: ingress-nginx

请注意，这是关于如何配置nginx的信息。

英文:

Found the answer:

You need to override nginx conf file https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/custom-template/

Or have a config map like:

apiVersion: v1
data:
  allow-snippet-annotations: &quot;true&quot;
  enable-real-ip: &quot;true&quot;
  compute-full-forwarded-for: &quot;true&quot;
  use-forwarded-headers: &quot;true&quot;
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.7.1
  name: ingress-nginx-controller
  namespace: ingress-nginx

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

Configuring Kubernetes Ingress Nginx to Preserve Client IP Address from Cloudflare Worker.

问题

答案1

无法使用yaml文件在elasticsearch pod中创建文件夹。

将网关绑定到特定命名空间？

Kubernetes – 如何暴露Kafka Exporter

如何为CFK Kafka连接资源设置PDB（Pod Disruption Budget）。

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论