Discussion about this post

User's avatar
endzyme's avatar

Here's a thing that appears to have worked with some testing.

ingress-nginx configured to use `enable-real-ip: "true"` in conjunction with `forwarded-for-header: "Cloudfront-Viewer-Address"` (chart values settings which make their way into the ConfigMap on cluster)

These setting appear to consistently yield the correctly logged client IP, and you don't have to mess with `proxy-real-ip-cidr: "cloudfrontIPs,commaseparated"`.

If you look through the https://nginx.org/en/docs/http/ngx_http_realip_module.html docs you'll see: "The ngx_http_realip_module module is used to change the client address and optional port to those sent in the specified header field." -- This appears to parse things correctly and the logs both on ingress-nginx (for `addr`) and downstream services get the right client IP.

I haven't dug into the nginx.conf to see what the controller is actually writing into config to make this work reliably but it's worth noting that your "Origin request policy" must be setup to either "exclude" x-forwarded-for -- or -- to "include" Cloudfront-Viewer-Address. It's also worth noting that when Cloudfront-Viewer-Address was not in the request header, the behavior appears to revert to trusting X-Forwarded-For if it's in the request header (which can be dangerous).

Expand full comment

No posts