Hi. I’m struggling to get it working but no luck.
I have set kong db-less with node port proxy in the k8s cluster, via helm chart 2.16.5(appVersion 3.1)
I configured k8s to send req with the x-forwareded-for header with real public client IP.
(I’ll mask my public IP to a.b.c.d)
And the Kong file log shows it OK like below
{
"response":{
"status":403,
"headers":{
"content-type":"text/html; charset=utf-8",
"server":"kong/3.1.1",
"content-length":"193",
"connection":"close",
"x-kong-response-latency":"0"
},
"size":389
},
"tries":[
],
"route":{
"paths":[
"/"
],
"name":"grafana-route",
"created_at":1686295003,
"updated_at":1686295003,
"ws_id":"0dc6f45b-8f8d-40d2-a504-473544ee190b",
"regex_priority":0,
"service":{
"id":"dcce3fc3-f10a-56e2-9573-27c02c8308d3"
},
"path_handling":"v0",
"protocols":[
"http",
"https"
],
"id":"f5b654e1-bb3f-533e-97a8-3378ccfbe21a",
"request_buffering":true,
"response_buffering":true,
"strip_path":false,
"https_redirect_status_code":426,
"preserve_host":true,
"hosts":[
"grafana-dev.nubison.io"
]
},
"upstream_uri":"/",
"latencies":{
"kong":0,
"request":0,
"proxy":-1
},
"service":{
"port":80,
"write_timeout":60000,
"name":"grafana-app",
"created_at":1686295003,
"updated_at":1686295003,
"ws_id":"0dc6f45b-8f8d-40d2-a504-473544ee190b",
"read_timeout":60000,
"protocol":"http",
"id":"dcce3fc3-f10a-56e2-9573-27c02c8308d3",
"connect_timeout":60000,
"host":"monitoring-grafana.monitoring.svc.cluster.local",
"retries":5,
"enabled":true
},
"client_ip":"192.168.2.67",
"started_at":1686295545635,
"request":{
"querystring":{
},
"uri":"/",
"size":850,
"method":"GET",
"headers":{
"sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"",
"x-forwarded-for":"a.b.c.d",
"sec-ch-ua-mobile":"?0",
"sec-ch-ua-platform":"\"Linux\"",
"upgrade-insecure-requests":"1",
"sec-fetch-site":"none",
"x-forwarded-proto":"https",
"sec-fetch-user":"?1",
"user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"accept-language":"ko,en;q=0.9",
"host":"grafana-dev.nubison.io",
"cache-control":"max-age=0",
"cookie":"grafana_session=02a0409fd1b62dac3437cfd589ded439",
"accept-encoding":"gzip, deflate, br",
"sec-fetch-dest":"document",
"x-forwarded-port":"443",
"x-amzn-trace-id":"Root=1-6482d3f9-2933c20b012db2da431b631b",
"sec-fetch-mode":"navigate",
"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
},
"url":"http://grafana-dev.nubison.io:80/"
}
}
And the Kong daemonset has the envs to take care of the header like below.
- name: REAL_IP_HEADER
value: x-forwarded-for
- name: KONG_TRUSTED_IPS
value: 0.0.0.0/0,::/0
- name: KONG_REAL_IP_RECURSIVE
value: "on"
For the last, plugin settings are here, simple.
- name: ip-restriction
config:
allow:
- a.b.c.d
I think I set it right, but hitting the route shows “503 kong error Your IP address is not allowed”
And adding 192.168.0.0/16 IP range for LB & k8s node proxy makes the route accessible to all.
So far my Kong setup seems to not respect the x-forwarded-for header. What am I missing?
Thank you.