By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

NLB with NGINX Ingress Controller is overwriting client IP, how to retain actual client IP

0

I have an EKS setup with some web applications/websites served by pods which have Nginx Ingress Controller with NLB for TLS termination. Problem is that the logs on some applications show ips of EKS Worker Nodes, instead of retaining the original requester IP. Would like to retain them for further processing of requests.

Was Trying with this digital Ocean Doc, https://docs.digitalocean.com/support/how-do-i-enable-proxy-protocol-when-my-load-balancer-sends-requests-to-the-nginx-ingress-controller/ by setting configmap variable as:- use-proxy-protocol: "true" but it impaired the system, untill rolledback.

Topics
Containers
Tags
Amazon Elastic Kubernetes ServiceContainersNetwork Load Balancer
Language
English
Surya Adapa
asked 3 months ago537 views
1 Answer
2
Accepted Answer

Hi,

To make it work, you need to have proxy protocol enabled on your NLB and have the appropriate configuration in ingress-nginx.

Here is an example of ingress-nginx, it expects that you have aws-load-balancer controller installed in your cluster.

controller:
  config:
    use-proxy-protocol: "true"
    real-ip-header: "proxy_protocol"
    use-forwarded-headers: "true"
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp

It's only relevant parts, and there are more options to configure.

profile picture
EXPERT
Dmytro Sirant
answered 3 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • Surya Adapa
    3 months ago

    This worked like a charm, Thanks Dmytro Sirant.

    Just to Add, my nginx ingress controller was using configmap so following was added to the DATA Part:

    data: allow-snippet-annotations: "true" real-ip-header: proxy_protocol use-forwarded-headers: "true" use-proxy-protocol: "true"

    After which i needed to update my NLB setting. Since it was deployed through an EKS service Object, updating annotations enabled the proxy protocol:

    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'

    The Order in which these things were updated is needed, and also During this exercise I observed the TLS termination to Fail for couple of minutes. So just a headsup for anyone who is applying the above with Live Traffic on workloads.

    Just to reiterate, your answer is precisely what was needed. Thanks Again Dmytro.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content