Ip-restriction plugin with x-forwarded-for not working

Hi. I’m struggling to get it working but no luck.

I have set kong db-less with node port proxy in the k8s cluster, via helm chart 2.16.5(appVersion 3.1)

I configured k8s to send req with the x-forwareded-for header with real public client IP.
(I’ll mask my public IP to a.b.c.d)

And the Kong file log shows it OK like below

         "content-type":"text/html; charset=utf-8",
         "sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"",
         "user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36",
         "accept-encoding":"gzip, deflate, br",

And the Kong daemonset has the envs to take care of the header like below.

     - name: REAL_IP_HEADER                                                  
       value: x-forwarded-for                                                
     - name: KONG_TRUSTED_IPS                                                
     - name: KONG_REAL_IP_RECURSIVE                                          
       value: "on"

For the last, plugin settings are here, simple.

           - name: ip-restriction                                            
                 - a.b.c.d

I think I set it right, but hitting the route shows “503 kong error Your IP address is not allowed”
And adding IP range for LB & k8s node proxy makes the route accessible to all.
So far my Kong setup seems to not respect the x-forwarded-for header. What am I missing?

Thank you.

IP restriction plugin validates client ip address from client_ip. I can see client_ip captured in your logs is not an actual client ip. You have to make changes in your LB so that actual client ip is captured in client_ip.