Can not get client real ip in kubernetes on AWS ELB

Kubernetes
1

We are using kong as our ingress controller with service type LoadBalancer. Kong is deployed using helm chart.

kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
  labels:
    app: kong
    chart: kong-0.23.0
    heritage: Tiller
    release: ota-kong
  name: ota-kong-kong-proxy
  namespace: default
spec:
  externalTrafficPolicy: Local
  healthCheckNodePort: 31645
  ports:
  - name: kong-proxy
    nodePort: 32767
    port: 80
    protocol: TCP
    targetPort: 8000
  - name: kong-proxy-tls
    nodePort: 32018
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: kong
    component: app
    release: ota-kong
  sessionAffinity: None
  type: LoadBalancer

We still cannot see actual client IP in kong proxy logs. We also have set the following environment variables
env:
database: postgres
proxy_listen: 0.0.0.0:8000, 0.0.0.0:8443 ssl proxy_protocol
trusted_ips: 0.0.0.0/0,::/0
real_ip_recursive: “on”
real_ip_header: X-Forwarded-For

The above environment variables are passed from the value.yaml file and I can confirm KONG_TRSUTED_IPS, KONG_REAL_IP_RECURSIVE, KONG_REAL_IP_HEADER are set inside the kong proxy pod.

2

@hbagdi any suggestion on what might be wrong will be really helpful. Thanks in advance.

3

Not sure this will work completely as I think some lua will need to be slung to fully take advantage of this… I am investigating further: How to Forward Client's request IP

1 Like
4

Hi,

I have solved this issue recently, you should just setting two env variables in Kong.

real_ip_header: X-Forwarded-For (Right, you have it)
trusted_ips: “YOUR ELB VPC CIDR“

by this way Nginx uses the module ngx_http_realip_module reading the Forwarded IP and updating the remote_addr with the first IP (client IP). After this change, Nginx traces will displace client public IP instead of ELB IPs. Kong will only serve requests forwarded from you load balancer.

5

Thanks @abenitovsc will give it a try and update here if i am able to get this working.

6

Hi @Mju, i have just realized that trusted_ips content was escaped with <
I have updated my last comment. Tell us with the feedback. You can deploy this app to check the headers.
https://hub.docker.com/r/brndnmtthws/nginx-echo-headers/

You will see that the X-Real-IP set by kong from the remote_addr is the first IP in the forwarded-for header (clientIP) instead of the last one(IP from the ELB CIDR).

1 Like