Comments (8)
I am currently having this same issue but on Azure. Adding nginx.ingress.kubernetes.io/whitelist-source-range: "74.234.138.x/32"
annotation basically make the service internally (from pods that have access within the same namespace) and externally (from 74.234.138.x, over the internet) inaccessible. Removing the annotation restore access back to the service. It's totally strange to me.
from ingress-nginx.
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from ingress-nginx.
/remove-kind bug
Please enable proxy-protocol on the NLB as well as in the controller https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#proxy-protocol
/kind support
from ingress-nginx.
Because of this bug report we decided to test this before upgrading. We are not experiencing this problem so this does indeed seem to be a problem related to your setup and not with the upgrade itself.
from ingress-nginx.
Hi,
I tried to activate the proxy protocol, but I got errors. More in detail, I get logs of broken headers like this:
2024/05/02 09:32:24 [error] 445#445: *4633986 broken header: "84�x�^��۩" while reading PROXY protocol, client: 172.31.15.204, server: 0.0.0.0:443
I did the following operations:
- Activated the proxy protocol v2 on the AWS NLB Target Groups for ports 443 and 80
- Changed the ingress-nginx-controller ConfigMap to set the
use-proxy-protocol
option totrue
- Changed the ingress-nginx-controller Service by editing the value of the following annotation:
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true,proxy_protocol_v2.enabled=true
Anyway, during these days, while I was checking other similar issues, I changed the ingress-nginx-controller Service by adding more annotations. Here's the full list of annotations present on the ingress-nginx-controller Service.
annotations:
meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: nginx
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: '80'
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
service.beta.kubernetes.io/aws-load-balancer-type: nlb
None of these annotations actually changed the real behaviour of the controller.
@longwuyuan The docs you linked me talk about the proxy protocol on the AWS ELB, which means the Classic Load Balancer and not the Network Load Balancer. On the Classic version, the linked AWS docs talk just about proxy protocol v1, while on the Network version, just the v2 is available.
Moreover, seems that the broken header is affecting other people too, like in the issue #9643 from the previous year.
If you have any suggestion on how to resolve this, I'm available to test it.
@rouke-broersma Regarding the upgrade, I don't think my problem is strictly related to the ingress-nginx version. I upgraded the controller in another cluster and everything went fine.
from ingress-nginx.
There is one issue about the proxy-protocol-v2 and they had the same problem (which they solved AFAIK). Searching for the issue number now
from ingress-nginx.
Check if the info here helps in any way #10982
from ingress-nginx.
While I was checking on this
Check if the info here helps in any way #10982
I made some modification and redeployed the ingress-nginx with externalTrafficPolicy: Cluster
and the proxy protocol enabled both on the controller and the Load Balancer. I also changed the healthcheck port as suggested in the issue. Anyway, that wasn't working.
Then I reverted the configuration to the preivous one, which at least served not-whitelisted traffic. Anyway, the situation got worse and the services where the IP was wrong, now weren't serving traffic anymore. The connections to these services were being closed. The Chrome browser showed the ERR_CONNECTION_CLOSED
error and there was no trace about that requests in the ingress-nginx logs.
Since this was causing a real downtime on the systems, I opted to completely remove ingress-nginx, which led to the removal of the Network Load Balancer on AWS. After reainstalling ingress-nginx, the new Load Balancer has been created and everything started working again, the whitelist annotation too.
Something I noticed was that the DNS records on Route53 were actually pointing to the NLB but they were an Alias typed to be used on Classic or Application Load Balancers. I corrected that records too, that may have been managed by an old version of external-dns with an old ingress-nginx. Anyway, I don't have any proof that this may have affected the traffic (which worked until the first update, like I mentioned above in the issue).
I suspect that there was something not working with that particular NLB instance. Anyway, if the same problem is happening on Azure, the problem may be in some internal (mis)configuration of ingress-nginx, or something between the ingress-nginx and the Load Balancer?
from ingress-nginx.
Related Issues (20)
- GeoIP2 auto_reload doesn't work HOT 12
- Method Based Routing in Nginx Ingress HOT 4
- use-proxy-protocol for SSL passthrough breaks HTTP HOT 29
- checkOverlap is a little loose. HOT 6
- How to instrument NGINX with OpenTelemetry HOT 3
- externalTrafficPolciy and healthprobe HOT 5
- nginx_status block configuration HOT 3
- Custom-error page is not working HOT 3
- error page for response code 302 HOT 6
- Option to skip the rbac creation in admission-webhooks HOT 1
- Download via Ingress Nginx super slow compared to External IP or NodePort HOT 20
- Kafka Broker Cannot Access Outside Kubernetes Cluster via ClusterIP Services HOT 1
- Open Telemetry can not collect header request and body HOT 1
- LanguageSpecificPackageVulnerability HOT 4
- Vulnerability (CVE-2022-27782) in the curl package HOT 2
- Add option to forbid plain http requests (where ssl-redirect is unsafe) HOT 4
- Kubectl plugin backends does not show backends for TCP and UDP services HOT 2
- [Vulnerabilities] current version of nginx-ingress-controller v1.10.1 has many vulnerabilties HOT 14
- Question: why the case insensitive regular expression location modifier will be enforced on ALL paths If the use-regex is set HOT 12
- Nginx version 1.25.3 is End Of Life HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.