在我的 Nginx 入口前使用 ELB 时,如何获得客户端的真实 IP?
[英]How can I get the real IP of a client when using an ELB in front of my Nginx Ingress?
问题描述
I have the following setup:
我有以下设置:
Client -> AWS ELB -> Nginx Ingress -> Pod
In the ELB logs, I can see the real IP of these clients.在 ELB 日志中,我可以看到这些客户端的真实 IP。 ELB sends it as the X-Forwarded-For header value to my Ingress controller. ELB 将其作为X-Forwarded-For header 值发送到我的 Ingress controller。
I need to set the whitelist-source-range in the Ingress for the application, but the issue is that it uses the remote IP address, not the one in the X-Forwarded-For header.我需要在应用程序的 Ingress 中设置白名单源范围,但问题是它使用远程 IP 地址,而不是X-Forwarded-For header 中的地址。
I can see some solutions here:我可以在这里看到一些解决方案:
- Transform ALB into an NLB, so it preserves the originating client's IP将 ALB 转换为 NLB,因此它保留了原始客户端的 IP
- Make the Nginx controller source range whitelist based on the
X-Forwarded-Forheader根据X-Forwarded-Forheader 制作 Nginx controller 源范围白名单 - Make the Nginx controller transform the request originating IP into the one in the header使 Nginx controller 将来自 IP 的请求转换为 Z099FB995346F31C95EZF6 中的请求
The first is not ideal for me.第一个对我来说并不理想。 I didn't want to maintain and pay for another load balancer.我不想维护和支付另一个负载均衡器。 I don't know if the second is possible.不知道第二个是否可行。 I think the third is feasible, yet I have no idea how to do it.我认为第三个是可行的,但我不知道该怎么做。 I know there's something related, which is the proxy protocol , but I don't see how it works, and I don't want to add something I don't understand into my production environment.我知道有一些相关的东西,那就是代理协议,但我看不到它是如何工作的,我不想在我的生产环境中添加我不理解的东西。
The load balancer is for several applications in my Kubernetes environment, so adding these IPs to the whitelist in the security group is not ideal.负载均衡器适用于我的 Kubernetes 环境中的多个应用程序,因此将这些 IP 添加到安全组中的白名单并不理想。
How could I solve this issue?我该如何解决这个问题?
My last resource will be to use Cloudflare.我的最后一个资源是使用 Cloudflare。 I want to keep as much of my configuration as possible inside Kubernetes, but I'll go for it if it's impossible.我想将尽可能多的配置保留在 Kubernetes 中,但如果不可能的话,我会为它保留 go。
Edit: this doesn't solve my problems, I have CIDRs to whitelist, not a specific IP.编辑: 这并不能解决我的问题,我将 CIDR 列入白名单,而不是特定的 IP。
1 个解决方案
解决方案1
0 2022-07-29 12:41:48
So if you are on AWS, why are you using an Nginx Ingress controller?因此,如果您在 AWS 上,为什么要使用 Nginx Ingress controller?
You can use the AWS Load Balancer Controller , which will provision and/or manage AWS ALB's automatically.您可以使用AWS 负载均衡器 Controller ,它将自动预置和/或管理 AWS ALB。
For your particular usecase, you could add a WAF WebACL for a particular target in the ALB.对于您的特定用例,您可以为 ALB 中的特定目标添加 WAF WebACL。 You can do that manually, or use the alb.ingress.kubernetes.io/wafv2-acl-arn annotation for the AWS Load Balancer Controller.您可以手动执行此操作,或对 AWS 负载均衡器 Controller 使用alb.ingress.kubernetes.io/wafv2-acl-arn注释。
Alternatively, you could run a separate ALB in a separate subnet, and setup IP whitelisting via the security group of that ALB's.或者,您可以在单独的子网中运行单独的 ALB,并通过该 ALB 的安全组设置 IP 白名单。 And then make sure that separate ALB is only used for those ingresses that need it.然后确保单独的 ALB 仅用于那些需要它的入口。
Again, when using the AWS Load Balancer Controller instead of the Nginx Ingress Controller, this can be done automatically, without extra maintenance.同样,当使用 AWS 负载均衡器 Controller 而不是 Nginx 入口 Controller 时,这可以自动完成,无需额外维护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.