Cloudflare & Proxy Protocol

[okgolove]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): no

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): cloudflare, proxy_protocol

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Feature Request

NGINX Ingress controller version:
0.26.1

Kubernetes version (use kubectl version):
1.12.10-eks

Environment:

• Cloud provider or hardware configuration: AWS

What happened:
We like Cloudflare. And we have to use proxy protocol because we use ELB on AWS.
The problem is proxy_protocol IP equals Cloudflare proxy server's IP and this can be fixed only by changing default nginx.tmpl (example #3529 (comment)). This is a headache because nginx.tmpl is changed often.

What you expected to happen:
It would be great if I could fix this using configmap. It doesn't look as if it is a big deal, I'd like to confer about.

How to reproduce it (as minimally and precisely as possible):
Cloudflare + ELB.

Anything else we need to know:

[aledbf]

@okgolove using the next annotation should solve the issue

nginx.ingress.kubernetes.io/server-snippet: |
  real_ip_header CF-Connecting-IP;

[okgolove]

@aledbf hmmm. I haven't thought about something like this.
I need to test it.
As far as I understand it can be used with server-snippet to set it up globally. Am I right?

[aledbf]

As far as I understand it can be used with server-snippet to set it up globally. Am I right?

Correct.

[okgolove]

It seems it works for $remote_addr.
What about $the_real_ip? For example, whitelist functionality uses $the_real_ip.

[aledbf]

What about $the_real_ip?

That was removed in 0.26, only $remote_addr exists and is used in the whitelist functionality (#4557)

[okgolove]

Thank you.
It seems I got it working.

The config:

proxy-real-ip-cidr: "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,10.0.0.0/8"

use-proxy-protocol: "True"
server-snippet: |
  real_ip_header CF-Connecting-IP;

[arvtiwar]

Do you need Cloudflare Enterprise or higher plan to get this working?

[arvtiwar]

@okgolove can you share more info?
Do you need Cloudflare Enterprise or higher plan to get this working?

[okgolove]

Hi @arvtiwar!
No, it doesn't depend on a plan type.
The header (CF-Connecting-IP) always exists if a host is behind Cloudflare.

[arvtiwar]

Thank you very much

[arvtiwar]

one more question - the above config is part of which config map?
ingress-controller-leader-nginx
ingress-nginx-controller
nginx-configuration

[okgolove]

This is ingress-nginx-controller ConfigMap.

[arvtiwar]

thanks

[myvelmurugan]

@okgolove Hi how did you manage the ELB and Cloudflare traffic which is coming to ingress nginx controller.?

when I enable proxy I get the client x_forward_header IP for the ELB and if I enable CF_Connecting_IP its not working as expected. I am not getting the Client source for even ELB and cloudflare

[morganchristiansson]

This is already a good option: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers

use-forwarded-headers: "true"