ingress-nginx: Whitelist-source-range not working properly with PROXY protocol
BUG REPORT (Ref: https://github.com/kubernetes/ingress-nginx/issues/4305 reopened)
NGINX Ingress controller version: 0.25.0, 0.25.1, 0.26.1 (tested since then)
Kubernetes version (use kubectl version): 1.13.6 (and 1.12.7)
- Cloud provider or hardware configuration: AWS + ELB
- OS (e.g. from /etc/os-release): Debian GNU/Linux 9 (stretch)
- Kernel (e.g.
uname -a): 4.9.0-7-amd64 - Install tools: helm
- Others:
The configuration is simple: AWS, ELB in front of Nginx
Kubernetes installed with KOPS
Installed with helm with this configuration:
"use-proxy-protocol": "true" "whitelist-source-range": "<list of offices ips>"
What happened: I updated an nginx-ingress on a test cluster from v0.24.1 to 0.25.0 with helm. With version 0.24.1 work fine, with 0.25.0 (and all open-resty versions) I get 403 if I try to access the dashboard.
Workaround: configure “proxy-real-ip-cidr”: “0.0.0.0/0” (but I feel this solution really wrong).
What you expected to happen: Nothing, only the update of Nginx
How to reproduce it (as minimally and precisely as possible): Update the nginx-ingress
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 46 (17 by maintainers)
/remove-triage needs-information
/triage accepted /priority important-soon /kind bug /assign @tao12345666333
@iamNoah1 I made up my mind to do it but I haven’t found the time yet.
Hey @ElvinEfendi ,
as I understood @pierluigilenoci this is what he did initially.
Specify the public ELB IPs “proxy-real-ip-cidr”: “52.20.5.1/32,52.20.5.2/32” (random IP for this example)
This did not worked and result in 403 for requests.
As a workaround he is now using “proxy-real-ip-cidr”: “0.0.0.0/0” but it would be a lot better to use the specific IPs of the ELBs again.