We’re running ingress-nginx with a reverse proxy in front of it, so we enabled the use-forwarded-headers option to ensure that X-Forwarded-* headers from the reverse proxy are passed on to our Kubernetes pods.
Now, we’re considering making some applications (each with their own Kubernetes ingress object defined) directly available without the additional reverse proxy. However, this would make ingress-nginx accept X-Forwarded-* from the public internet, which is clearly a bad idea.
Is there are way to enable the use-forwarded-headers option only for a subset of ingresses, or only when traffic arrives from certain trusted hosts (i.e. only our own reverse proxy)?
It is a security issue to trust these headers coming from the public internet, as they can be used to e.g. circumvent ACLs. This blog post explains the issues in more detail: Security Rule Zero: A Warning about X-Forwarded-For.
Working around that with nginx config snippets would mean undoing these directives (I’m not sure if that’s easy to do) and potentially having to re-do that for any new ingress-nginx release that touches that logic.