Proxy protocol in ELB, kubernetes

Hi,

I spent the better of the day trying to enable proxy protocol so i can see where requests are coming from. Proxy protocol is enabled on ELB via service annotation:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'

in the kong proxy logs i can see the IPs of my EKS workers being reported. log follows:

10.128.95.165 - - [09/Oct/2019:20:12:12 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.117.220 - - [09/Oct/2019:20:12:12 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.91.240 - - [09/Oct/2019:20:12:12 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.80.217 - - [09/Oct/2019:20:12:13 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.75.179 - - [09/Oct/2019:20:12:13 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.108.247 - - [09/Oct/2019:20:12:14 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.107.239 - - [09/Oct/2019:20:12:14 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.95.159 - - [09/Oct/2019:20:12:15 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.116.164 - - [09/Oct/2019:20:12:15 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.95.165 - - [09/Oct/2019:20:12:15 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.76.72 - - [09/Oct/2019:20:12:16 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.117.220 - - [09/Oct/2019:20:12:16 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.91.240 - - [09/Oct/2019:20:12:17 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.80.217 - - [09/Oct/2019:20:12:17 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.95.159 - - [09/Oct/2019:20:12:18 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.108.247 - - [09/Oct/2019:20:12:18 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.74.173 - - [09/Oct/2019:20:12:18 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.107.239 - - [09/Oct/2019:20:12:19 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.95.165 - - [09/Oct/2019:20:12:19 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.108.247 - - [09/Oct/2019:20:12:20 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.91.240 - - [09/Oct/2019:20:12:20 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.80.217 - - [09/Oct/2019:20:12:21 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.107.239 - - [09/Oct/2019:20:12:21 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.108.247 - - [09/Oct/2019:20:12:22 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.116.164 - - [09/Oct/2019:20:12:22 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.74.238 - - [09/Oct/2019:20:12:23 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.95.159 - - [09/Oct/2019:20:12:23 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.117.220 - - [09/Oct/2019:20:12:23 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.75.179 - - [09/Oct/2019:20:12:24 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.128.76.72 - - [09/Oct/2019:20:12:24 +0000] "GET /ready HTTP/1.1" 200 16 "-" "curl/7.29.0"
^C

The kong is configured via environment variables as part of kong ingress helm chart:

        - name: KONG_REAL_IP_HEADER
          value: proxy_protocol
        - name: KONG_REAL_IP_RECURSIVE
          value: "on"
        - name: KONG_ADMIN_LISTEN
          value: 0.0.0.0:8444
        - name: KONG_PROXY_LISTEN
          value: 0.0.0.0:8000 proxy_protocol,0.0.0.0:8443 proxy_protocol ssl
        - name: KONG_NGINX_DAEMON
          value: "off"

Is it possible to see the real source ip of the client.


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ