[英]Updating ingress-nginx-controller ConfigMap to Pass Client IP to Backend Service
Have an ingress-nginx-controller
Deployment in kube.netes cluster which passes requests to backend services within the cluster and this all currently works as expected.在 kube.netes 集群中有一个
ingress-nginx-controller
部署,它将请求传递给集群内的后端服务,这一切目前都按预期工作。
There is now a requirement within one of the backend services to get the caller's client IP address from within but, with the nginx controller in its default configuration, the backend service is only seeing the kube.netes cluster's.network IP address when it calls HttpServletRequest.getRemoteAddr()
and not the client caller's IP address.现在有一个后端服务要求从内部获取调用者的客户端 IP 地址,但是,在其默认配置中使用 nginx controller,后端服务在调用
HttpServletRequest.getRemoteAddr()
时只能看到 kube.netes 集群的 .network IP 地址HttpServletRequest.getRemoteAddr()
而不是客户端调用者的 IP 地址。
I understand that requests when proxied can have the client IP address overridden which I am assuming is what is happening here as the request goes through the nginx controller.我知道代理时的请求可以覆盖客户端 IP 地址,我假设这就是请求通过 nginx controller 时发生的情况。
I have added a debug log in the backend service to print all relevant headers within received requests and, with the nginx controller in its default configuration, I am seeing the following X-
headers within each request received:我在后端服务中添加了一个调试日志,以打印收到的请求中的所有相关标头,并且在其默认配置中使用 nginx controller,我在收到的每个请求中看到以下
X-
标头:
x-request-id:3821cea91ffdfd04bed8516586869bdd5
x-real-ip:100.10.75.1
x-forwarded-proto:https
x-forwarded-host:www.myexample.com
x-forwarded-port:443
x-scheme:https
I have read in various places that nginx can be configured to pass the client's IP address in X-Forwarded-For
header for example (which as can be seen in debug log above it is not currently included in client requests).我在不同的地方读到 nginx 可以配置为在
X-Forwarded-For
header 中传递客户端的 IP 地址(例如,从上面的调试日志中可以看出,它目前不包含在客户端请求中)。
Looking at the nginx.conf
in the ingress-nginx-controller Deployment, the backend's domain server configuration has the following set:查看ingress-nginx-controller Deployment中的
nginx.conf
,后端的域服务器配置有如下设置:
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
Doing a kubectl describe deploy -n ingress-nginx ingress-nginx-controller
shows that the nginx controller has the following configmap argument: --configmap=ingress-nginx/ingress-nginx-controller
so, using this information, what do I need to include in a custom yaml that I can then apply in order to override the nginx config settings to have it pass the client IP to the backend service?执行
kubectl describe deploy -n ingress-nginx ingress-nginx-controller
显示 nginx controller 具有以下配置映射参数:--configmap --configmap=ingress-nginx/ingress-nginx-controller
因此,使用此信息,我需要做什么包含在自定义 yaml 中,然后我可以应用它以覆盖 nginx 配置设置,使其将客户端 IP 传递到后端服务?
In order to have the nginx controller pass the client's ip address to the backend service I applied the following configmap yaml config: In order to have the nginx controller pass the client's ip address to the backend service I applied the following configmap yaml config:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-3.10.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.41.2
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
compute-full-forwarded-for: "true"
use-forwarded-headers: "false"
real-ip-header: proxy_protocol
I believe the configuration section that matters in this config is the line: real-ip-header: proxy_protocol
我相信此配置中重要的配置部分是以下行:
real-ip-header: proxy_protocol
With this configmap
applied to the nginx controller
I can now see the client's IP address (no longer the kubernetes cluster's network IP address) shown in the request's x-real-ip
header. With this
configmap
applied to the nginx controller
I can now see the client's IP address (no longer the kubernetes cluster's network IP address) shown in the request's x-real-ip
header.
To pass the real Client IP, without much config changes.传递真正的客户端 IP,无需太多配置更改。 We need to use use-forwarded-headers: 'true' in the ConfigMap as shown in the below snippet.
我们需要在 ConfigMap 中使用 use-forwarded-headers: 'true' ,如下面的代码片段所示。
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.15
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.1.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: 'true'
ssl-redirect: 'false'
use-forwarded-headers: 'true'
use-forwarded-headers ¶使用转发头¶
If true, NGINX passes the incoming X-Forwarded-* headers to upstreams.如果为真,NGINX 会将传入的 X-Forwarded-* 标头传递给上游。 Use this option when NGINX is behind another L7 proxy/load balancer that is setting these headers.
当 NGINX 位于另一个设置这些标头的 L7 代理/负载平衡器后面时,请使用此选项。
If false, NGINX ignores incoming X-Forwarded-* headers, filling them with the request information it sees.如果为 false,NGINX 将忽略传入的 X-Forwarded-* 标头,并用它看到的请求信息填充它们。 Use this option if NGINX is exposed directly to the inte.net, or it's behind an L3/packet-based load balancer that doesn't alter the source IP in the packets.
如果 NGINX 直接暴露给 inte.net,或者它位于不会更改数据包中源 IP 的基于 L3/数据包的负载平衡器之后,请使用此选项。
By enabling this header, the X-Forwarded-* header will not be appended or replaced by any internal IP.通过启用此 header,X-Forwarded-* header 将不会被任何内部 IP 附加或替换。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.