[英]NGINX Ingress Controller's Load Balancer is hiding the real client IP
I'm playing around with K8s and I set up a small, single-node, bare metal cluster.我正在玩 K8s,并建立了一个小型的单节点裸机集群。 For this cluster I pulled the NGINX Ingress Controller config from here , which is coming from the official getting started guide .对于这个集群,我从这里提取了 NGINX Ingress Controller 配置,它来自官方入门指南。
Ok, so pulling this set up a bunch of things, including a LoadBalancer in front.好的,所以拉这个设置了一堆东西,包括前面的 LoadBalancer。 I like that.我喜欢。
For my app (single pod, returns the caller IP) I created a bunch of things to play around with.对于我的应用程序(单个 pod,返回调用方 IP),我创建了一堆可以玩的东西。 I now have SSL enabled and another ingress controller, which I pointed to my app's service, which then points to the deployed pod.我现在启用了 SSL 和另一个入口 controller,我指向我的应用程序的服务,然后指向部署的 pod。 This all works perfectly, I can browse the page with https.这一切都很完美,我可以用 https 浏览页面。 See:看:
My app is not getting the original IP from the client .我的应用程序没有从客户端获取原始 IP 。 All client requests end up as coming from 10.42.0.99... here's the controller config from describe
:所有客户端请求最终都来自 10.42.0.99... 这是来自describe
的 controller 配置:
I tried like 50 solutions that were proposed online, none of them worked (ConfigMaps, annotations, proxy mode, etc).我尝试了在线提出的50 种解决方案,但都没有奏效(ConfigMap、注释、代理模式等)。 And I debugged in-depth, there's no X-Forwarder-For
or any similar header in the request that reaches the pod.而且我进行了深入调试,在到达 pod 的请求中没有X-Forwarder-For
或任何类似的 header。 Previously I tested the same app on apache directly, and also in a docker setup, it works without any issues.以前我直接在 apache 以及 docker 设置中测试了相同的应用程序,它没有任何问题。
It's also worth mentioning that I looked into the ingress controller's pod and I already saw the same internal IP in there.还值得一提的是,我查看了入口控制器的 pod,我已经在其中看到了相同的内部 IP。 I don't know how to debug the controller's pod further.我不知道如何进一步调试控制器的 pod。
Happy to share more information and config if it helps.如果有帮助,很高兴分享更多信息和配置。
I think I know what the issue is... I didn't mention how I installed the cluster, assuming it's irrelevant.我想我知道问题是什么......我没有提到我是如何安装集群的,假设它无关紧要。 Now I think it's the most important thing现在我认为这是最重要的
I set it up using K3S , which has its own LoadBalancer .我使用 K3S设置它,它有自己的 LoadBalancer 。 And through debugging, I see now that all of my requests in NGINX have the IP of the load balancer's pod...通过调试,我现在看到我在 NGINX 中的所有请求都有负载均衡器 pod 的 IP ......
I still don't know how to make this Klipper LB give the source IP address though.我仍然不知道如何让这个 Klipper LB 提供源 IP 地址。
Make sure your Nginx ingress configmap have enabled user IP real-ip-header: proxy_protocol
try updating this line into configmap.确保您的 Nginx 入口配置映射已启用用户 IP real-ip-header: proxy_protocol
尝试将此行更新为配置映射。
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
compute-full-forwarded-for: "true"
use-forwarded-headers: "false"
real-ip-header: proxy_protocol
still if that not work you can just inject this config as annotation your ingress configuration and test once.如果这不起作用,您可以只将此配置作为注释注入您的入口配置并测试一次。
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Forwarded-For $http_x_forwarded_for";
@milosmns - one of the ways i have been trying is to not install servicelb (--no-deploy=servicelb) and remove traefik (--no-deploy=traefik). @milosmns - 我一直在尝试的方法之一是不安装 servicelb (--no-deploy=servicelb) 并删除 traefik (--no-deploy=traefik)。
Instead deploy haproxy ingress ( https://forums.rancher.com/t/how-to-access-rancher-when-k3s-is-installed-with-no-deploy-servicelb/17941/3 ) and enable proxy protocol.而是部署 haproxy 入口( https://forums.rancher.com/t/how-to-access-rancher-when-k3s-is-installed-with-no-deploy-servicelb/17941/3 )并启用代理协议。 When you do this, all requests that hit the haproxy ingress will be injected with proxy protocol and no matter how they are routed you will be able to pick them up from anywhere.当你这样做时,所有命中 haproxy 入口的请求都将被注入代理协议,无论它们如何路由,你都可以从任何地方获取它们。 you can also get haproxy to inject X-Real-IP headers.您还可以让 haproxy 注入 X-Real-IP 标头。
the important thing is that haproxy should be running on all master nodes.重要的是 haproxy 应该在所有主节点上运行。 since there is no servicelb, your haproxy will always get the correct ip address.由于没有 servicelb,您的 haproxy 将始终获得正确的 ip 地址。
Just set externalTrafficPolicy to "Local" if using GCP如果使用 GCP,只需将 externalTrafficPolicy 设置为“Local”
add this in ingress controller service externalTrafficPolicy: Local将此添加到入口 controller 服务 externalTrafficPolicy: Local
service: externalTrafficPolicy: Local
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.