使用Ingress保护远程客户端IP(Preserving remote client IP with Ingress)

使用Ingress保护远程客户端IP(Preserving remote client IP with Ingress)

我的目标是让我的Web应用程序（部署在Kubernetes 1.4集群上）查看最初发出HTTP请求的客户端的IP。 由于我打算在裸机集群上运行该应用程序，因此GCE和service.alpha.kubernetes.io/external-traffic: OnlyLocal引入的service.alpha.kubernetes.io/external-traffic: OnlyLocal服务注释不适用于我。

寻找替代品，我发现这个问题是建议设立一个Ingress来实现我的目标。 所以，我设置了Ingress和NginX Ingress Controller 。 部署进行得很顺利，我可以通过Ingress地址和端口80连接到我的Web应用程序。但是在日志中，我仍然可以看到集群内部IP（从172.16.0.0/16）范围 - 这意味着外部客户端IP没有通过Ingress正确传递。 你能告诉我除了上述之外还需要配置什么才能使它工作？

我的Ingress'配置：

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: myWebApp spec: backend: serviceName: myWebApp servicePort: 8080

My goal is to make my web application (deployed on Kubernetes 1.4 cluster) see the IP of the client that originally made the HTTP request. As I'm planning to run the application on a bare-metal cluster, GCE and the service.alpha.kubernetes.io/external-traffic: OnlyLocal service annotation introduced in 1.4 is not applicable for me.

Looking for alternatives, I've found this question which is proposing to set up an Ingress to achieve my goal. So, I've set up the Ingress and the NginX Ingress Controller. The deployment went smoothly and I was able to connect to my web app via the Ingress Address and port 80. However in the logs I still see cluster-internal IP (from 172.16.0.0/16) range - and that means that the external client IPs are not being properly passed via the Ingress. Could you please tell me what do I need to configure in addition to the above to make it work?

My Ingress' config:

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: myWebApp spec: backend: serviceName: myWebApp servicePort: 8080

最满意答案

作为第4层代理，Nginx不能保留实际IP数据包中的原始源IP地址。 您可以使用Proxy协议解决此问题（链接指向HAProxy文档，但Nginx也支持它）。

为此，上游服务器（也就是您的情况下的myWebApp服务）也需要支持此协议。 如果上游应用程序也使用Nginx，则可以在服务器配置中启用代理协议支持，如官方文档中所述 。

根据Nginx入口控制器的文档 ，可以使用Kubernetes ConfigMap在入口控制器中启用该功能：

apiVersion: v1 kind: ConfigMap metadata: name: nginx-ingress-controller data: use-proxy-protocol: "true"

通过将--nginx-configmap=<insert-configmap-name>标志添加到命令行参数中，在您的Ingress控制器清单中指定ConfigMap --nginx-configmap=<insert-configmap-name> 。

As a layer 4 proxy, Nginx cannot retain the original source IP address in the actual IP packets. You can work around this using the Proxy protocol (the link points to the HAProxy documentation, but Nginx also supports it).

For this to work however, the upstream server (meaning the myWebApp service in your case) also needs to support this protocol. In case your upstream application also uses Nginx, you can enable proxy protocol support in your server configuration as documented in the official documentation.

According to the Nginx Ingress Controller's documentation, this feature can be enabled in the Ingress Controller using a Kubernetes ConfigMap:

apiVersion: v1 kind: ConfigMap metadata: name: nginx-ingress-controller data: use-proxy-protocol: "true"

Specify the name of the ConfigMap in your Ingress controller manifest, by adding the --nginx-configmap=<insert-configmap-name> flag to the command-line arguments.