I have such setup of K8S:
Cloudflare -> Digital Ocean Load Balancer -> Nginx Ingress -> Nginx Container
Based on my answer on this question all works fine up to Nginx Ingress here I get the correct IP of the user.
But inside Nginx Contaier the IP is set to the service IP.
I restored it by using:
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
But I don’t trust this line: set_real_ip_from 0.0.0.0/0; becuase is from any IP, I can’t get CIDR of ingress service.
My question is there is a better way to restore client IP inside nginx container when request are coming from Ingress Service?
2
Answers
If you can read the headers forwarded by Cloudflare, a proxied request will include the
CF-Connecting-IPheader which will contain the IP of the client that connected to Cloudflare in first place.(docs)
There is no better way to restore the client IP.
However, you should only allow cloudflares IP address ranges with
set_real_ip_fromas described here (note that the german version of this example is much better than the english):https://support.cloudflare.com/hc/de/articles/200170786-Wiederherstellen-von-urspr%C3%BCnglichen-Besucher-IPs-Protokollieren-von-Besucher-IP-Adressen-mit-mod-cloudflare-
The list of ip address ranges may change from time to time. It can be found here:
https://www.cloudflare.com/ips/