Skip to content

the_real_ip not capturing correct client ip from cloudfront #3172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
timm088 opened this issue Oct 3, 2018 · 11 comments
Closed

the_real_ip not capturing correct client ip from cloudfront #3172

timm088 opened this issue Oct 3, 2018 · 11 comments

Comments

@timm088
Copy link

timm088 commented Oct 3, 2018
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Possible bug?

NGINX Ingress controller version: 0.17.1
Kubernetes version (use kubectl version): 1.10.3

  • Cloud provider or hardware configuration: AWS (EKS)
  • Others:

What happened:
When using use-proxy-protocol: "true", config within nginx.conf is created with
real_ip_header proxy_protocol;

If i add an additional message to the logs to print $http_x_forwarded_for, we see the 'real' client ip.

However, $the_real_ip contains what we assume is the last IP of the x-forwarded-for, not the first (which is the real client ip).

What you expected to happen:

Client ip would be stored in $the_real_ip

Anything else we need to know:

Only appears to happen with cloudfront > elb > ingress
When we bypass cloudfront, the ELB only has a single entry in x-forwarded-for. Looks to be related to multi entry x-forwarded-for
@aledbf
Copy link
Member

aledbf commented Oct 4, 2018

@timm088 are you setting https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-real-ip-cidr ?

@aledbf
Copy link
Member

aledbf commented Oct 4, 2018

something like

# your vpc subnet where ELB resides in
XX.XXX.XXX.XXX/XX;

# AWS CloudFront IP/CIDR range
52.84.0.0/15,54.182.0.0/16,54.192.0.0/16,54.230.0.0/16,54.239.128.0/18,54.239.192.0/19,54.240.128.0/18,204.246.164.0/22,204.246.168.0/22,204.246.174.0/23,204.246.176.0/20,205.251.192.0/19,205.251.249.0/24,205.251.250.0/23,205.251.252.0/23,205.251.254.0/24,216.137.32.0/19;

(please check the addresses)

@timm088
Copy link
Author

timm088 commented Oct 4, 2018

Thanks @aledbf, appreciate your help.

We did try that, setting multiple ranges and still resulted in an incorrect IP shown in logs.

For the moment, we have decided to switch to using an NLB , and disabling proxy_protocol, which has resulted in the behavior we required for the ingress controller (NLB's are pure TCP, and have no http header concept)

@timm088 timm088 closed this as completed Oct 4, 2018
@timm088
Copy link
Author

timm088 commented Oct 5, 2018

Unfortunately, NLBs turned out to be too experimental in their implementation.

I can definitely confirm @aledbf that no matter what I see to try, proxy-real-ip-cidr configmap does not seem to work as its intended.

I can confirm when i alter log message format, x-forwarded-for has the true client (real) ip.

@eseliger
Copy link

eseliger commented Dec 8, 2018

@timm088 were you able to find a viable solution for the problem? I'm also running into this.

@timm088
Copy link
Author

timm088 commented Dec 9, 2018

abandoned from our side for now, returned to ELBs due to some instability in NLBs being 'alpha' supported only. @eseliger

@estahn
Copy link

estahn commented Jun 24, 2019

@timm088 @aledbf We experience the same issue. I believe the main issue is real_ip_header proxy_protocol; is incompatible with X-Forwarded-For. Or at least that there is a mixture of proxy protocol and some HTTP header.

proxy-real-ip-cidr will not help, as it results in the following:

	real_ip_header      proxy_protocol;
	real_ip_recursive   on;
	set_real_ip_from    13.124.199.0/24;
	set_real_ip_from    144.220.0.0/16;
        ...

Cloudfront will transfer the address via X-Forwarded-For, but the realip module is looking at proxy protocol.

@timm088
Copy link
Author

timm088 commented Jun 24, 2019
edited
Loading

We have gone with using https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#compute-full-forwarded-for

This will ensure you retain the entire structure of x-forwarded-for when using cloudfront

Its not the best (depending on what the downstream service is doing here), but we've found it to be the most reliable.

@estahn
Copy link

estahn commented Jun 24, 2019

@timm088 Yes, that works and will keep the IP in HTTP_X_ORIGINAL_FORWARDED_FOR as well. But I wonder what is the effect on features like rate limiting.

@estahn
Copy link

estahn commented Jun 24, 2019

I wonder if forcing the use of real_ip_header X-Forwarded-For with proxy protocol works and resolve this issue. Also what happens if you have some traffic coming through Cloudfront and some bypass the Cloudfront distribution. Imo real_ip_recursive should work on proxy_protocol and X-Forwarded-For.

ingress-nginx/rootfs/etc/nginx/template/nginx.tmpl

Lines 127 to 134 in 8cee8d5

{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}}
{{ if or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol }}
{{ if $cfg.UseProxyProtocol }}
real_ip_header proxy_protocol;
{{ else }}
real_ip_header {{ $cfg.ForwardedForHeader }};
{{ end }}

@estahn
Copy link

estahn commented Jun 24, 2019

Here is a possible solution to the issue: https://www.getpagespeed.com/server-setup/nginx/how-to-use-multiple-real-ip-headers-with-nginx

@estahn estahn mentioned this issue Jun 24, 2019
Closed
@noqcks noqcks mentioned this issue Mar 10, 2020
Closed
@stac47 stac47 mentioned this issue Dec 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aledbf @estahn @timm088 @eseliger