Enable Proxy Protocol for the NGINX Ingress Controller and Loadbalancer

The Proxy Protocol is a network protocol designed to maintain the original IP address of a client when its TCP connection is routed through a proxy. Without this protocol, proxies would not retain this information as they function as intermediaries for the client, transmitting messages to the server while substituting the client’s IP address with their own.

Enable Proxy Protocol for the Loadbalancer with TCP mode (Layer 4):

Edit the ingress controller service:

kubectl edit service -n <namespace> <service-name>

Add these annotations to the manifest as the following snippet:

service.beta.kubernetes.io/gs-loadbalancer-mode: tcp
service.beta.kubernetes.io/gs-loadbalancer-proxy-protocol: v2

Enable Proxy Protocol for the NGINX Ingress Controller

Official documentation for the NGINX Ingress Controller proxy-protocol.

Edit the ConfigMap of the ingress controller:

kubectl edit configmap -n <namespace> <configmap-name>

Add use-proxy-protocol: "true" to the data section as the following snippet:

apiVersion: v1
  allow-snippet-annotations: "true"
  use-proxy-protocol: "true"
kind: ConfigMap

Ingress controller errors

  • broken header: " " while reading PROXY protocol occurs:
    • when proxy protocol is enabled in the ingress controller but not enabled in the loadbalancer.
    • when the request does not go through the loadbalancer if the proxy protocol is already enabled in the lodabalancer. For example, a k8s service issues a request to a public ingress, the request will not be routed though the loadbalancer.

Allow traffic from specific IPs or CIDRs

when proxy-protocol is enabled the nginx.ingress.kubernetes.io/whitelist-source-range Ingress annotation can be used to allow the traffic only from specific IPs or CIDRs.