Skip to content

Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled #3341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Dec 9, 2022
Merged

Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled #3341

merged 7 commits into from
Dec 9, 2022

Conversation

shaun-nx
Copy link
Contributor

@shaun-nx shaun-nx commented Dec 8, 2022
edited
Loading

Proposed changes

This change updates the nginx plus and open source templates to allow the set-real-ip-from directive to be set in the server block for the stream context when proxy_protocol is enabled.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@github-actions github-actions bot added the documentation Pull requests/issues for documentation label Dec 8, 2022
@codecov-commenter
Copy link

Codecov Report

Merging #3341 (89cc68b) into main (7e2397f) will not change coverage.
The diff coverage is n/a.

❗ Current head 89cc68b differs from pull request most recent head e81fa7f. Consider uploading reports for the commit e81fa7f to get more accurate results

@@           Coverage Diff           @@
##             main    #3341   +/-   ##
=======================================
  Coverage   51.56%   51.56%           
=======================================
  Files          60       60           
  Lines       16678    16678           
=======================================
  Hits         8600     8600           
  Misses       7788     7788           
  Partials      290      290

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@shaun-nx shaun-nx marked this pull request as ready for review December 8, 2022 10:16
@shaun-nx shaun-nx requested a review from a team as a code owner December 8, 2022 10:16
@shaun-nx shaun-nx changed the title Tls set real ip Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled Dec 8, 2022
jjngx
jjngx approved these changes Dec 8, 2022
View reviewed changes
Copy link
Contributor

@jjngx jjngx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@shaun-nx shaun-nx merged commit f3669ea into main Dec 9, 2022
@shaun-nx shaun-nx deleted the tls-set-real-ip branch December 9, 2022 16:33
@ydixken ydixken mentioned this pull request Jan 25, 2023
Closed
@ydixken
Copy link

ydixken commented Feb 6, 2023

Hi @coolbry95 - We actually asked the F5 Support for this change a couple of weeks ago. I've tested today for >10hrs and didn't get this feature working.

X-Real-IP remains unset / empty. I've confirmed this behaviour on our side with proxy_protocol enabled and disabled using a fairly default NGiNX as upstream backend (with self-signed certs) and a tool (without NGiNX, to rule the config there out) to just send all set request headers as a repsonse.

We're using the Ingress Controller with Helm, here's a part of our configuration:

apiVersion: charts.nginx.org/v1alpha1
kind: NginxIngress
metadata:
  name: nginx-ingress
spec:
  controller:
    affinity: {}
    appprotect:
      enable: true
    appprotectdos:
      debug: false
      enable: false
      maxDaemons: 0
      maxWorkers: 0
      memory: 0
    config:
      annotations: {}
      entries:
        set-real-ip-from: 10.0.0.0/16
    customPorts: []
    defaultTLS:
      secret: ""
    enableCertManager: false
    enableCustomResources: true
    enableLatencyMetrics: false
    enableOIDC: true
    includeYear: false
    enablePreviewPolicies: false
    enableSnippets: false
    enableTLSPassthrough: true
    extraContainers: []
    globalConfiguration:
      create: false
      spec: {}
    healthStatus: true
    healthStatusURI: /*redacted*-health
    hostNetwork: false
    image:
      pullPolicy: Always
      repository: image-registry.openshift-image-registry.svc:5000/*redacted*-services/nginx-plus-ingress
      tag: 3.0.1_s2023.01.26-1_t2023.02.01-1
    lifecycle: {}
    customConfigMap: ""
    ingressClass: nginx
    initContainers: []
    kind: deployment
    logLevel: 2
    nginxDebug: false
    nginxReloadTimeout: 60000
    nginxStatus:
      allowCidrs: 127.0.0.1
      enable: true
      port: 8080
    nginxplus: true
    nodeSelector: {}
    pod:
      annotations: {}
      extraLabels: {}
    priorityClassName: openshift-user-critical
    readyStatus:
      enable: true
      port: 8081
    replicaCount: 1
    reportIngressStatus: #review later
      annotations: {}
      enable: true
      enableLeaderElection: true
      ingressLink: ""
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
      create: true
      customPorts: []
      externalIPs: []
      externalTrafficPolicy: Local
      extraLabels: {}
      httpPort:
        enable: true
        port: 80
        targetPort: 80
      httpsPort:
        enable: true
        port: 443
        targetPort: 443
      loadBalancerIP: ""
      loadBalancerSourceRanges: []
      name: nginx-ingress
      type: LoadBalancer
    serviceAccount:
      imagePullSecretName: ""
    setAsDefaultIngress: false
    terminationGracePeriodSeconds: 30
    tolerations: []
    volumeMounts: []
    volumes: []
    watchNamespace: ""
    wildcardTLS:
      secret: null
  nginxServiceMesh:
    enable: false
    enableEgress: false
  prometheus:
    create: true
    port: 9113
    scheme: http
    secret: ""
  disableIPV6: false
  rbac:
    create: true

For the Upstream:

apiVersion: v1
data:
  nginx.conf: |
    #
    # see:
    #       https://gist.github.com/WhisperingChaos/033699f3b8d0df89ac50ab185b8628b4
    #

    error_log stderr debug;

    events {
            # nginx requires this section even when applying all default values
    }

    http {

            # Upstream keyword is followed by a URL (domain name/IP). This reference
            # encapsulates the list of back-end servers defined for a virtual proxy.
            # When authenticating a certificate from a back-end server, the upstream
            # URL is supplied to the certificate authentication process instead of the
            # back-end server name. See the comments associated with proxy_pass below
            # for a detailed discussion.
            upstream httpd-testapp {
                    server localhost:8080;
            }

            server {

                    server_name tls-proxy;
                    listen 8443 ssl proxy_protocol;
                    #listen 8443 ssl; # same behaviour


                    ssl_certificate /var/run/secrets/tls-proxy/proxy.crt;
                    ssl_certificate_key /var/run/secrets/tls-proxy/proxy.key;

                    # limit protocols
                    proxy_ssl_protocols TLSv1.2 TLSv1.3;
                    proxy_ssl_ciphers HIGH:!aNULL:!MD5;

                    ssl_client_certificate /var/run/secrets/tls-proxy/ca.crt;
                    ssl_verify_client on;

                    location / {
                      #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                            proxy_set_header X-Remote $remote_addr;
                            proxy_set_header Host $http_host;
                            proxy_set_header X-Forwarded-Proto https;
                            proxy_redirect off;
                            proxy_pass http://httpd-testapp;
                            proxy_ssl_verify off;
                    }
            }
    }
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: nginx

Transport Server:

apiVersion: k8s.nginx.org/v1alpha1
kind: TransportServer
metadata:
  name: hello-app
  annotations:
    k8s.nginx.org/server-tokens: "test/nginx"
spec:
  ingressClassName: "nginx"
  listener:
    name: tls-passthrough
    protocol: TLS_PASSTHROUGH
  host: nginx-test.apps.test.*redacted*.cloud.*redacted* 
  upstreams:
  - name: hello-app-upstream
    service: hello-app
    port: 443
  action:
    pass: hello-app-upstream

Is there any additional configuration needed that I'm missing?

Kind regards,
Yannick

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 approved these changes

@jjngx jjngx jjngx approved these changes

@lucacome lucacome Awaiting requested review from lucacome lucacome was automatically assigned from nginxinc/kic

@haywoodsh haywoodsh Awaiting requested review from haywoodsh haywoodsh was automatically assigned from nginxinc/kic

Assignees
No one assigned
Labels
documentation Pull requests/issues for documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@shaun-nx @codecov-commenter @ydixken @ciarams87 @jjngx @haywoodsh