Enable Proxy Protocol for the NGINX Ingress Controller and Loadbalancer
The Proxy Protocol is a network protocol designed to maintain the original IP address of a client when its TCP connection is routed through a proxy. Without this protocol, proxies would not retain this information as they function as intermediaries for the client, transmitting messages to the server while substituting the client’s IP address with their own.
Enable Proxy Protocol for the Loadbalancer with TCP mode (Layer 4):
Edit the ingress controller service:
kubectl edit service -n <namespace> <service-name>
Add these annotations to the manifest as the following snippet:
service.beta.kubernetes.io/gs-loadbalancer-mode: tcp service.beta.kubernetes.io/gs-loadbalancer-proxy-protocol: v2
Enable Proxy Protocol for the NGINX Ingress Controller
Official documentation for the NGINX Ingress Controller proxy-protocol.
Edit the ConfigMap of the ingress controller:
kubectl edit configmap -n <namespace> <configmap-name>
use-proxy-protocol: "true" to the data section as the following snippet:
apiVersion: v1 data: allow-snippet-annotations: "true" use-proxy-protocol: "true" kind: ConfigMap
Ingress controller errors
broken header: " " while reading PROXY protocoloccurs:
- when proxy protocol is enabled in the ingress controller but not enabled in the loadbalancer.
- when the request does not go through the loadbalancer if the proxy protocol is already enabled in the lodabalancer. For example, a k8s service issues a request to a public ingress, the request will not be routed though the loadbalancer.
Allow traffic from specific IPs or CIDRs
when proxy-protocol is enabled the
nginx.ingress.kubernetes.io/whitelist-source-range Ingress annotation can be used to allow the traffic only from specific IPs or CIDRs.