如何从GKE中的Nginx入口负载均衡器获得真实客户端IP?根据在线资源,我已经配置了外部流量策略:本地和添加使用代理协议:"真";财产。
但是,我仍然在日志中看到GKE节点IP/接口,而不是真正的客户端IP。
我的负载平衡器服务->
Name: ingress-nginx-controller
Namespace: ingress-nginx
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=ingress-nginx
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/version=0.41.2
helm.sh/chart=ingress-nginx-3.10.1
Annotations: networking.gke.io/load-balancer-type: Internal
Selector: app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: xx.xxx.xx.xx
IPs: xx.xx.xxx.xx
LoadBalancer Ingress: xx.xx.xx.xx
Port: http 80/TCP
TargetPort: http/TCP
NodePort: http 32118/TCP
Endpoints: xx.x.xx.xx:80
Port: https 443/TCP
TargetPort: https/TCP
NodePort: https 31731/TCP
Endpoints: xx.x.xx.xxx:443
Session Affinity: None
External Traffic Policy: Local
HealthCheck NodePort: 30515
我的配置映射->
apiVersion: v1
data:
access-log-path: /var/log/nginx-logs/access.log
compute-full-forwarded-for: "true"
enable-real-ip: "true"
enable-underscores-in-headers: "true"
error-log-path: /var/log/nginx-logs/error.log
large-client-header-buffers: 4 64k
log-format-upstream: $remote_addr - $request_id - [$proxy_add_x_forwarded_for] -
$remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer"
"$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr
$upstream_response_length $upstream_response_time $upstream_status
proxy-read-timeout: "240"
proxy-send-timeout: "240"
real-ip-header: proxy_protocol
use-forwarded-headers: "true"
use-proxy-protocol: "true"
我尝试使用以下nginxConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
enable-real-ip: "true"
use-forwarded-headers: "true"
proxy-real-ip-cidr: "<pods_cidr>,<services_cidr>,<load_balance_ip>/32"
use-proxy-protocol: "false"
并在nginx Service上添加了分配负载平衡的语句externalTrafficPolicy: Local
:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
loadBalancerIP: <load_balance_ip>
我没有成功。然后,我还尝试使用以下ConfigMap配置ip-masq-agent:
apiVersion: v1
kind: ConfigMap
metadata:
name: ip-masq-agent
namespace: kube-system
data:
config: |
nonMasqueradeCIDRs:
- <load_balance_ip>/32
- <pods_cidr>
- <services_cidr>
masqLinkLocal: false
resyncInterval: 30s
因此,我删除了DaemonSetip-masq-agent,gke自动重新创建了它。
之后,我让我的gke集群按预期工作。
您可以在gke访问上找到有关ip-masq-agent的更多信息https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent
你好吗?
此外,您还需要在Kubernetes规范上设置这一点:
externalTrafficPolicy: Local
例如,
apiVersion: v1
kind: Service
metadata:
name: example-service
spec:
selector:
app: example
ports:
- port: 8765
targetPort: 9376
externalTrafficPolicy: Local
type: LoadBalancer
因此,您可以在Nginx设置中使用以下内容:
use-proxy-protocol: "false"
enable-real-ip: "true"
use-forwarded-headers: "true"
proxy-real-ip-cidr: "YOUR-LB-IP/32"
PLUS
如果你想强制HTTPS重定向,那么你可以根据需要在Nginx设置中设置:
force-ssl-redirect: "true"
继续阅读https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters#externalTrafficPolicy