-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting an X-Forwarded-For header overrides whitelist-source-range in nginx-controller #1000
Comments
@octete please configure the option |
@aledbf Thanks for your reply, but this would only take effect if ProxyProtocol would be enabled, right? (which is not enabled by the load balancer in GCP) If it's meant to work with ProxyProtocol off, it is not working for me (setting |
@octete please post some logs |
Thanks. I have set proxy protocol on, as per:
I hit it as I specified in the description:
, and this is what I get in the logs from nginx:
If I, however, change the config map to:
I get the original behaviour I was describing:
logs from nginx, in this case look like:
Thanks. PS: I have modified the logs to change my source IP to |
@aledbf sorry, forgot to ping you. |
if you are using the ingress controller you need to enable use-proxy-protocol in the controller and the elb. |
Except that this is in GKE running in GCP, and it doesn't seem to support proxied load balancers, right? |
It seems to me that GCP load balancers don't support the Proxy Protocol. @aledbf does this only work with ProxyProtocol enabled? |
@aledbf @octete this is something that also causes some issues with Logging. I've installed a brand new ingress controller here (based in the latest release) and when calling SSL vhosts the logged IP is localhost (as the flow is 443 -> vhost:442) and the log cames from vhost:442. I think an option would be to have an option to enable or disable the entire SNI Proxy configuration inside NGINX (and NGINX becames an HTTP/s server only) I think this solves: 6ef6343 But have to wait until the next release |
@rikatz that replacement works but you are not respecting the X-Forwarder-For header. |
But the meaning to respect the X-Forwarded-For is when you're using a proxy. As this is the case that Proxy is not being used, I've replaced here so this works. Isn't this the case? This is the whole case:
|
@aledbf Any consideration about this? That's the easiest (don't know if that's the most correct) way I could manage to make both the log and whitelist being respected :) |
Doing some more research here, this might also be a problem:
Try to access this ingress with http:// (instead of https). Because of these lines you're not going to be redirected, instead you're going to access the site through http. |
@aledbf |
Shouldn't |
I have hit a problem with the nginx-controller that I believe might be a bug in the nginx configuration. I might be wrong, so please, do point it out if it's the case.
I am trying to set up an nginx ingress controller in GKE (version 1.6.4) which has a global configuration that includes:
Where access to the endpoint would only be allowed from the IP
123.123.123.123
. I have seen that it generates a config in the nginx like:Which is then used by:
and it seems the
the_real_ip
variable is set like:The ingress I have defined it like:
And it works:
However, if I pass the
X-Forwarded-For
header myself, I am able to override this restriction, as per:So, it seems to me that just by setting the
X-Forwarded-For
as a header, overrides any otherX-Forwarded-For
header that might be set there and then this code:sets
the_real_ip
variable to whatever I pass as a header, thus overriding the ACL.Before I dig further into the code (of which I have not read), I'd like to raise it here in case there's an obvious problem with what I'm doing. If so, please let me know and I'll close the ticket.
I can post the extra config here if it's needed. I didn't want to on the initial issue not to overload this with lots of yaml.
Many thanks.
The text was updated successfully, but these errors were encountered: