Digital ocean’s Loadbalancer does not send X-Forwarded-For header, so how to get real ip info with load balancer?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×I got my nginx ingress to work by doing these two things:
1) Enable Proxy Protocol in the DO load balancer - https://www.digitalocean.com/docs/networking/load-balancers/#proxy-protocol
2) Modify NGINX config
Hope this helps!
Thanks for this!
In kubernetes, I have to create a config-map for nginx with the following details:
Question
kind: ConfigMap
apiVersion: v1
metadata:
name: ingress-nginx-ingress-controller
namespace: name_of_your_workspace
data:
proxy-real-ip-cidr: '1.2.3.4,10.244.0.0/24'
use-proxy-protocol: 'true'
where 1.2.3.4 is the external ip of your load balancer.
you also need to set the proxy_enabled flag in your load balancer using annotations:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
annotations:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
as mentioned in this post.
It is important to note that the metadata.name value on the configMap must be equal to the metadata.name value on the Loadbalancer service.
DigitialOcean Load Balancers set the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to give backend nodes information about the original request. Though you’ll need to ensure that you web server or application is configured to log that.
For example, if you were using Nginx, you could capture the original IP for a request by configuring a custom log_format directive and using it in your access_log directive. On Ubuntu , you would need to edit the main Nginx config located at /etc/nginx/nginx.conf Here’s a very simple example as a proof of concept:
log_format from-lb 'Original IP: $http_x_forwarded_for';
access_log /var/log/nginx/access.log from-lb;
Of course, you’ll likely want to log more information than that. Here’s a more detailed log format that matches the default output but replaces uses the origin IP address:
log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;
access_log /var/log/nginx/access.log main;
If you’re using Nginx, you can find more details about configuring logging in this tutorial. If you aren’t, let us know what web server you’re using, and we can help more.
@GrantZvolsky — amazing answer, did the trick for me! The link to blog post is broken though, sadly :) Would love to read it!
Thank you! It’s back up. The blog mostly serves as a canary of an app that I’m working on. Apparently I accidentally misconfigured production while playing with a dev cluster. Time to set up some health checks. I’m happy to hear that the blog’s single blogpost is useful to someone :)
Regarding ingress-nginx, in my experience it suffices to
1) set its
use-proxy-protocolflag to “true” in the controller’s configmap, and2) enable the LB’s
do-loadbalancer-enable-proxy-protocol; you can do this in the web UI.See my blogpost for details https://en.zvolsky.org/articles/60133f1c-6de5-43d1-904c-6eb1e0f9195d