Getting IP forward to work with IP Restriction plugin and proxy NGINX


#1

Hi all,

I run Kong through DCOS and I have a edge machine that runs our edge nginx.

So what we have is like the following:

DOMAIN1 -> EDGE NGINX -> KONG

I’m trying to use ip restriction plugin but when the IP arrives in Kong, it is the EDGE machine internal network’s ip (10.250.3.2).

I have the following configuration in the Edge nginx:

proxy_set_header            Host            $http_host;
proxy_set_header            X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header            X-Real-IP       $remote_addr;
proxy_set_header            X-Forwarded-Proto $scheme;
proxy_set_header            Connection "";

And Kong is configured as follows:

KONG_TRUSTED_IPS: 0.0.0.0/0,::0 
KONG_REAL_IP_RECURSIVE: on
KONG_REAL_IP_HEADER: X-Forwarded-For

I’m running kong 0.14.1

If I put 10.250.3.2 in the ip restriction plugin, it works well but it doesn’t if I use my external ip.


#2

I have very similar use case, and I am currently trying to workaround it. Would be very good to have a solution for that.


#3

Anyone can help with the issue?


#4

Hi,

Your config seems correct at a first glance. First of all make sure that your EDGE nginx has reloaded that config after you changed it, and make sure to reload Kong as well.

If that doesn’t work, you will have to debug the problem. I would recommend starting by adding a logging plugin to Kong (you could use file-log, or any other logging plugin if it suits you better) so you can see which requests Kong is receiving, and especially the headers.

If you can’t find the issue that way, you should do something similar with your EDGE machine, although the process might be more involved - it might involve manually changing your config to write down requests in your logs.

If you still can’t find the problem after that, please include a sample of each here- the headers in particular should be particularly useful.


#5

I’ll give it a try with file logging and see what happens. I tried on EDGE to set the response header with the same values as the proxy ones and I got the expected header values.

But I’ll check with the file log and I’ll let you know.


#6

Hi @kikito for some reason the header was not reaching Kong. Those directives are set under http namespace but it seems to work only when I add to location / {} block. Do you have any idea why this can happen?

I thought that by adding to http {} block it would apply to everything below it.


#7

Found the issue. proxy_set_header is not inherited if there is any proxy_set_header in the current block.


#8

Hi all,
I am using kong in kubernetes, how to modify the nginx configuration in kubernetes.
i have to modify x-forwarded setting for getting client ip.
please let know how to proceed in kubernetes.