IP Preserve in nginx ingress controller

[godofdream]

Due to the change of Port 443 streaming to nginx 127.0.0.1:442 the ip is not preserved anymore. (127.0.0.1 is returned)
Due to this change also the ingress ip-whitelist does not work anymore.

This could be fixed by proxy passing the x-forwarded-for ip and accept real-ip.

[cmluciano]

Would you like to take a stab at the PR? I think https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl may be the starting point.

[gambol99]

Yeah .. i had to drop the stream config and place the listen 443 proxy_protocol back in the server {} block to get this working again ..

[cluk1]

We have patched the nginx.tmpl for that:
https://github.com/pingworks/ingress/commit/a170f8dba3656eb3941d451d4539095bc12d0b36

[cmluciano]

possible dup #188

[nailgun]

beta.5 still have this issue (as well as beta.4)

[nailgun]

Can someone trigger a next beta build? Looks like this was fixed in d56d8b7 13 days ago.

[aledbf]

@nailgun the next version will be release after the completion of the scheduled task here https://github.com/kubernetes/ingress/projects/2

[nailgun]

@aledbf thanks for information

[qux42]

Trying the current master, the bug isn't fully solved:

213.61.105.52 - [213.61.105.52] - - [17/May/2017:21:54:26 +0000] "GET / HTTP/2.0" 403 281 "-" "curl/7.54.0" 37 0.000 [prometheus-server-80] - - - -
2017/05/17 21:54:26 [error] 1133#1133: *90 access forbidden by rule, client: 127.0.0.1, server: **.com, request: "GET / HTTP/2.0", host: "**.com"

in beta.5 it looks like this:

213.61.105.52 - [127.0.0.1] - - [17/May/2017:21:54:26 +0000] "GET / HTTP/2.0" 403 281 "-" "curl/7.54.0" 37 0.000 [prometheus-server-80] - - - -
2017/05/17 21:54:26 [error] 1133#1133: *90 access forbidden by rule, client: 127.0.0.1, server: **.com, request: "GET / HTTP/2.0", host: "**.com"

[2color]

Same thing here with nginx-ingress-controller:0.9.0-beta.5

[jrthib]

I'm getting the same thing. I'm trying to whitelist the IP range of our VPN and all I'm seeing are internal node IPs once the request comes through. Any ideas?

`2017-05-22T14:21:17.902605271Z 2017/05/22 14:21:17 [error] 133#133: *47 access forbidden by rule, client: 10.240.0.4, server: my.test.com, request: "GET /favicon.ico HTTP/1.1", host: "my.test.com", referrer: "http://my.test.com/"

10.240.0.4 is an IP of one of the k8s nodes rather than the remote IP that was requesting resources.

[aledbf]

@jrthib please use the image quay.io/aledbf/nginx-ingress-controller:0.118
This is a similar issue to #727

[2color]

Thanks @aledbf. That solves the problem.

How does it work with releases? Once all items in the nginx 0.9-beta.6 project are resolved, do you release?

[aledbf]

How does it work with releases?

I open a PR an someone from the google team with permissions in the gcr.io registry publish the image. This is the reason why I use my personal quay account to test the progress of the fixes/features to be included in the next release

[2color]

Thanks @aledbf. Your work is much appreciated.