How to set up Nginx Ingress for Load Balancers with Proxy Protocol Support

March 19, 2019 6.6k views
Load Balancing Kubernetes

Digital Ocean just announced Proxy Protocol support for kubernetes load balancers.

https://blog.digitalocean.com/load-balancers-now-support-proxy-protocol/

How can we modify Nginx Ingress to work with the proxy protocol to get source ip of visitors?

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

Perhaps annotations?

I hope Digital Ocean engineers have tested proxy protocol with Nginx Ingress controllers

1 comment
4 Answers

BTW … there’s an issue with proxy protocol and the jet stack cert-manager.

See https://github.com/jetstack/cert-manager/issues/466

My only workaround is to temporarily disable proxy protocol on the load balancer (and nginx ingress config map) allowing the certificate to be issued.

kubectl edit configmap -n ingress-nginx nginx-ingress-controller
#  use-proxy-protocol: "true"
  • Did you found a solution to this problem? I have no idea how use cert-manager and having real client ip.

  • Thank you… Any full solution yet?

  • Has anyone found a solution to the cert manager issue. The issue has been closed now advising it’s nothing to do with cert manager, which suggests its an issue with digitalocean

I got it working!!! The answer is to create a config map with use-proxy-protocol: “true” as follows:

Step 1. Follow instructions from the tutorial

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

Step 2. Create the following configmap.yaml that includes use-proxy-protocol:

# configmap.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
data:
  use-forwarded-headers: "true"
  compute-full-forwarded-for: "true"
  use-proxy-protocol: "true"

Step 3. Apply configmap.yaml

kubectl apply -f configmap.yaml

Step 4. Create your ingress resource:

# ingress.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
spec:
  rules:
  - host: echo1.example.com
    http:
      paths:
      - backend:
          serviceName: echo1
          servicePort: 80
  - host: echo2.example.com
    http:
      paths:
      - backend:
          serviceName: echo2
          servicePort: 80

Step 5. Apply your ingress resource:

kubectl apply -f ingress.yaml

Step 6. Wait for the External IP of your load balancer

kubectl get svc -n ingress-nginx

Step 7. Enable Proxy Protocol on your load balancer

Image of load balancer

Step 8. Update your DNS A records with your External IP

Best of luck …

by Hanif Jetha
In this tutorial, learn how to set up and secure an Nginx Ingress Controller with Cert-Manager on DigitalOcean Kubernetes.

For anyone using Helm, you can replace steps 1, 2 and 3 (above) with the following …

# nginx-ingress-controller-config.yaml
controller:
  config:
    use-forwarded-headers: "true"
    compute-full-forwarded-for: "true"
    use-proxy-protocol: "true"

helm install --namespace ingress-nginx --name nginx-ingress stable/nginx-ingress -f nginx-ingress-controller-config.yaml
  • To avoid the manual step of setting the Load balancer into proxy mode via the dashboard, add an annotation to the values file, eg:

    # nginx-ingress-controller-config.yaml
    controller:
      config:
        use-forwarded-headers: "true"
        compute-full-forwarded-for: "true"
        use-proxy-protocol: "true"
      service:
        annotations:
          service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
    
    

    Or if you want to just set all of the above options on the CLI using helm

    helm install stable/nginx-ingress --name nginx-ingress --set controller.publishService.enabled=true --set-string controller.config.use-forward-headers=true,controller.config.compute-full-forward-for=true,controller.config.use-proxy-protocol=true  --set controller.service.annotations."service\.beta\.kubernetes\.io/do-loadbalancer-enable-proxy-protocol=true"
    
Have another answer? Share your knowledge.