Skip to content

Enabling enable-ssl-passthrough breaks client IP (all clients are 127.0.0.1)

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller Release: v1.1.0 Build: cacbee86 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.19.9

Kubernetes version (use kubectl version):

Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2+k3s2", GitCommit:"3f5774b41eb475eb10c93bb0ce58459a6f777c5f", GitTreeState:"clean", BuildDate:"2021-10-05T20:29:33Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: Limestone Networks Bare Metal Cloud

  • OS (e.g. from /etc/os-release): Ubuntu 20.04

  • Kernel (e.g. uname -a): 5.4.0-90-generic #101-Ubuntu

  • Install tools:

    • Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc. k3s

  • How was the ingress-nginx-controller installed:

    • If helm was used then please show output of helm ls -A | grep -i ingress ingress-nginx-ingress-nginx-private ingress-nginx 4 2021-12-19 05:48:37.258964116 +0000 UTC deployed ingress-nginx-4.0.13 1.1.0

    • If helm was used then please show output of helm -n <ingresscontrollernamepspace> get values <helmreleasename>

USER-SUPPLIED VALUES:
controller:
 electionID: ingress-controller-private-leader
 extraArgs:
   enable-ssl-passthrough: ""
 ingressClassResource:
   controllerValue: k8s.io/ingress-nginx-private
   default: true
   name: nginx-private
 replicaCount: 2
 service:
   annotations:
     purelb.io/service-group: private-pool
   externalTrafficPolicy: Local

What happened: Prior to enabling "enable-ssl-passthrough", access IPs are reflected correctly in the ingress controller logs, and features like whitelist-source-range work as expected. After enabling enable-ssl-passthrough, client IPs are always shown as 127.0.0.1 in the nginx logs and ingresses using whitelist-source-range stop working as expected. Note that this occurs on all ingresses regardless of whether SSL passthrough is enabled on the ingress. To reproduce, simply enable the SSL passthrough feature on the controller.

before: ingress-nginx-ingress-nginx-private-controller-698f69fd7f-ts5rc controller 10.3.0.66 - - [19/Dec/2021:17:26:20 +0000] "GET / HTTP/2.0" 200 786 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" 22 0.001 [kube-system-kube-system-kubernetes-dashboard-443] [] 192.168.73.41:8443 786 0.000 200 4d19abd96b2a62d04d74906ecd1ccdac

after: ingress-nginx-ingress-nginx-private-controller-6f945d6d84-4j9fw controller 2021/12/19 17:23:10 [error] 576#576: *18182 access forbidden by rule, client: 127.0.0.1, server: dashboard.k8s.domain.net, request: "GET / HTTP/2.0", host: "dashboard.k8s.domain.net"

How to reproduce it: Add --enable-ssl-passthrough to the controller command line and then all client IPs will show up as 127.0.0.1 in nginx.