使用Ingress保留远程客户端IP [英] Preserving remote client IP with Ingress
问题描述
我的目标是使我的Web应用程序(在Kubernetes 1.4群集上部署)看到最初发出HTTP请求的客户端的IP.由于我打算在裸机群集上运行该应用程序,因此GCE和1.4中引入的service.alpha.kubernetes.io/external-traffic: OnlyLocal
服务注释不适用于我.
My goal is to make my web application (deployed on Kubernetes 1.4 cluster) see the IP of the client that originally made the HTTP request. As I'm planning to run the application on a bare-metal cluster, GCE and the service.alpha.kubernetes.io/external-traffic: OnlyLocal
service annotation introduced in 1.4 is not applicable for me.
Looking for alternatives, I've found this question which is proposing to set up an Ingress to achieve my goal. So, I've set up the Ingress and the NginX Ingress Controller. The deployment went smoothly and I was able to connect to my web app via the Ingress Address and port 80. However in the logs I still see cluster-internal IP (from 172.16.0.0/16) range - and that means that the external client IPs are not being properly passed via the Ingress. Could you please tell me what do I need to configure in addition to the above to make it work?
我的入口"配置:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myWebApp
spec:
backend:
serviceName: myWebApp
servicePort: 8080
推荐答案
作为第4层代理,Nginx无法在实际IP数据包中保留原始源IP地址.您可以使用代理协议(链接点)解决此问题到HAProxy文档中,但Nginx也支持它.)
As a layer 4 proxy, Nginx cannot retain the original source IP address in the actual IP packets. You can work around this using the Proxy protocol (the link points to the HAProxy documentation, but Nginx also supports it).
为此,上游服务器(在您的情况下为myWebApp
服务)也需要支持此协议.如果您的上游应用程序也使用Nginx,则可以在服务器配置中启用代理协议支持,如
For this to work however, the upstream server (meaning the myWebApp
service in your case) also needs to support this protocol. In case your upstream application also uses Nginx, you can enable proxy protocol support in your server configuration as documented in the official documentation.
根据 Nginx Ingress Controller的文档,可以使用Kubernetes ConfigMap在Ingress Controller中启用此功能:
According to the Nginx Ingress Controller's documentation, this feature can be enabled in the Ingress Controller using a Kubernetes ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress-controller
data:
use-proxy-protocol: "true"
通过在命令行参数中添加--nginx-configmap=<insert-configmap-name>
标志,在Ingress控制器清单中指定ConfigMap的名称.
Specify the name of the ConfigMap in your Ingress controller manifest, by adding the --nginx-configmap=<insert-configmap-name>
flag to the command-line arguments.
这篇关于使用Ingress保留远程客户端IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!