Ip-restriction plugin and x-forwarded-for

Hello all!

On Kong 2.0, we’re trying to get the ip restriction plugin working. We have added multiple single IP addresses to the allow list and enabled the plugin on a consumer. We then see 403s being issued to valid consumers.

From what we can see, the client_ip attribute is reported as a lan IP address (10.0.x.x), but the X-Forwarded-For headers contain two IP addresses. One is the real ip address that we’re interested in filtering on, the other is the ingress controller we have within GKE.

Does the IP restriction plugin obey X-Forwarded-For or not? If so, how does it handle multiple entries in the same header?

We tried adding both the real client IP and the ingress controller IP to the allow list, and no luck there either.

Any insight you can provide would be greatly appreciated!
– Jimmy

Thank you so much for the doc, that definitely explained a lot.

Unfortunately, when I set the traffic policy to “Local”, its showing the second IP in the X-Forwarded-For header as the client IP, whereas the original client IP is the first. The second IP is our ingress controller.

I’m just unaware of how the binary address that the plugin is using is actually decided. The documentation is very opaque about how it’s all determined.

In full transparency, we also have KONG_REALIP_HEADER set to x-forwarded-for. Once we did that, it stopped showing random GKE IP addresses, but is unfortunately only displaying the ingress.

This is an interesting problem and I don’t really know how to solve it.
@bungle @datong.sun @hisham Do you have any experience with this?

It seems that we are running into the unsolved https://trac.nginx.org/nginx/ticket/1316.