diff --git a/examples/shared-examples/proxy-protocol/README.md b/examples/shared-examples/proxy-protocol/README.md index 636af955ce..901a3efde6 100644 --- a/examples/shared-examples/proxy-protocol/README.md +++ b/examples/shared-examples/proxy-protocol/README.md @@ -1,6 +1,7 @@ # PROXY Protocol Proxies and load balancers, such as HAProxy or ELB, can pass the client's information (the IP address and the port) to the next proxy or load balancer via the PROXY Protocol. To enable NGINX Ingress Controller to receive that information, use the `proxy-protocol` ConfigMaps configuration key as well as the `real-ip-header` and the `set-real-ip-from` keys. Once you enable the PROXY Protocol, it is enabled for every Ingress and VirtualServer resource. +**NOTE** TransportServer resource supports PROXY Protocol only when TLS Passthrough is enabled for the Ingress Controller. ## Syntax @@ -11,11 +12,15 @@ proxy-protocol: "True | False" Additionally, you must configure the following keys: * **real-ip-header**: Set its value to `proxy_protocol`. -* **set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from +* **set-real-ip-from**: Set its value to the IP address or the subnet of the proxy or the load balancer. See [set-real-ip-from](https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) ## Example -In the example below we configure the PROXY Protocol via a ConfigMaps resource. The IP address of the proxy which is in front of the Ingress Controller is `192.168.192.168`. +In the example below we configure the PROXY Protocol via a ConfigMaps resource. `set-real-ip-from` is set to `192.168.0.0/16`. This is the CIDR range of the proxy that sits in front of the Ingress Controller in this example. You can set this to `0.0.0.0/0` to trust all IPs. +After we create the ConfigMaps resource, the client's IP address is available via the `$remote_addr` variable in the NGINX configuration. +By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header. + +The default log format for NGINX is `'$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'` ```yaml kind: ConfigMap @@ -25,6 +30,5 @@ metadata: data: proxy-protocol: "True" real-ip-header: "proxy_protocol" - set-real-ip-from: "192.168.192.168" + set-real-ip-from: "192.168.0.0/16" ``` -After we create the ConfigMaps resource, in the NGINX configuration the client's IP address is available via the `$remote_addr` variable. By default, NGINX Ingress Controller logs the value of this variable and also passes the value to the backend service in the `X-Real-IP` header. diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index f2e8b06d5b..9c5167fcdf 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -308,6 +308,11 @@ stream { listen 443{{if .ProxyProtocol}} proxy_protocol{{end}}; {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{if .ProxyProtocol}} + {{range $setRealIPFrom := .SetRealIPFrom}} + set_real_ip_from {{$setRealIPFrom}};{{end}} + {{end}} + ssl_preread on; proxy_protocol on; diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index f2a308a246..9786d318ce 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -242,6 +242,12 @@ stream { listen 443{{if .ProxyProtocol}} proxy_protocol{{end}}; {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + + {{if .ProxyProtocol}} + {{range $setRealIPFrom := .SetRealIPFrom}} + set_real_ip_from {{$setRealIPFrom}};{{end}} + {{end}} + ssl_preread on; proxy_protocol on;