Real_ip_recursive config


#1

Hi All,

This is the definition of real_ip_recursive from the nginx docs,

If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the real_ip_header directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field.

I don’t quite get it. Can you please explain this possibly with an example.

Thanks,
Arun


#2

Sure, so this helps when dealing with something like the X-Forwarded-For header coming into Kong. What happens is that header is a list of IPs : 127.0.0.1,127.0.0.2,127.0.0.3 representing all the client hops the transaction took before reaching the gateway. the recursive directory lets you get the origin IP from this header is my understanding so 127.0.0.1 would be grabbed :slight_smile: . I could be wrong but that is my simple understanding.

Another important field around this would be to get the trusted_ips field:
https://docs.konghq.com/1.0.x/configuration/#trusted_ips I generally set this to:
0.0.0.0/0,::/0 which means trust all connections with the X-Forwarded-For values, but if you have a special IP you know that will be sending your traffic with the X-Forwarded-For header value(such as an official Load Balancer) you can trust, you can put that ip in this field as well.


#3

Hi Jeremy,

Thank you for getting back to me.

So if this was my Kong setup,

Scenario 1

trusted ips - 10.101.176.90/32
real_ip_header - X-Forwarded-For
real_ip_recursive - Off
Client/App (2.22.154.129) --> Load Balancer (10.101.176.90) -> Kong (127.0.0.1)

Scenario 2

trusted ips - 10.101.176.90/32
real_ip_header - X-Forwarded-For
real_ip_recursive - On
Client/App (2.22.154.129) --> Load Balancer (10.101.176.90) -> Kong (127.0.0.1)

What would be the difference?

And if the trusted ips was set to 0.0.0.0/0,::/0, then I am guessing real_ip_recursive has no effect at all?

Thanks,
Arun