Related

How multiple droplets share resources Question Question
how to configure 2 droplets with HAProxy + keepalived Question Question

Question

using digitalocean loadbalancer, how to get real ip?

Posted January 9, 2018 8.5k views
Load Balancing

Digital ocean’s Loadbalancer does not send X-Forwarded-For header, so how to get real ip info with load balancer?

Add a comment
alexe9378b6afe3312f2e0aff5
By:
alexe9378b6afe3312f2e0aff5
Add a comment
1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
5 answers
nfern February 15, 2020

I got my nginx ingress to work by doing these two things:
1) Enable Proxy Protocol in the DO load balancer - https://www.digitalocean.com/docs/networking/load-balancers/#proxy-protocol
2) Modify NGINX config

Hope this helps!

Reply Report
  • neilnitk April 7, 2020

    Thanks for this!

    In kubernetes, I have to create a config-map for nginx with the following details: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: ingress-nginx-ingress-controller
  namespace: name_of_your_workspace
data:
  proxy-real-ip-cidr: '1.2.3.4,10.244.0.0/24'
  use-proxy-protocol: 'true'

    where 1.2.3.4 is the external ip of your load balancer.

    you also need to set the proxy_enabled flag in your load balancer using annotations:

    kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

    as mentioned in this post.

    Reply Report
yondbee February 8, 2019

The Load Balancer takes care of automatically renewing the Let’s Encrypt certificate for you. The only issue is when you host multiple vhosts behind the LB and you cant get a wildcard certificate or upload different certificates on the LB.

Reply Report
asb January 9, 2018

DigitialOcean Load Balancers set the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to give backend nodes information about the original request. Though you’ll need to ensure that you web server or application is configured to log that.

For example, if you were using Nginx, you could capture the original IP for a request by configuring a custom log_format directive and using it in your access_log directive. On Ubuntu , you would need to edit the main Nginx config located at /etc/nginx/nginx.conf Here’s a very simple example as a proof of concept:

        log_format from-lb 'Original IP: $http_x_forwarded_for';
        access_log /var/log/nginx/access.log from-lb;

Of course, you’ll likely want to log more information than that. Here’s a more detailed log format that matches the default output but replaces uses the origin IP address:

        log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent"' ;

        access_log /var/log/nginx/access.log main;

If you’re using Nginx, you can find more details about configuring logging in this tutorial. If you aren’t, let us know what web server you’re using, and we can help more.

How To Configure Logging and Log Rotation in Nginx on an Ubuntu VPS
by Justin Ellingwood
Understanding the logging mechanisms of your server will help you diagnose problems and avoid larger problems down the road. In this article, we will explore Nginx's logging capabilities. We will discuss the configuration options and the tools that can be used to maintain your logs.
Reply Report
markruys August 4, 2018

In case of https this only works when you do the SSL offloading on the load balancer. So if you need the client’s real IP address, don’t use certificate passthrough.

Reply Report
rnmkr December 18, 2018

DO LB doesn’t pass user’s real ip when using https passthrough. In such case you must use SSL termination at Load balancer it self, however this is real deal if you’re using let’s encrypt free SSL with http01 validation. Because you have to re-new and re-upload licenses manually.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help