We’re running ingress-nginx with a reverse proxy in front of it, so we enabled the
use-forwarded-headers option to ensure that
X-Forwarded-* headers from the reverse proxy are passed on to our Kubernetes pods.
Now, we’re considering making some applications (each with their own Kubernetes ingress object defined) directly available without the additional reverse proxy. However, this would make ingress-nginx accept
X-Forwarded-* from the public internet, which is clearly a bad idea.
Is there are way to enable the
use-forwarded-headers option only for a subset of ingresses, or only when traffic arrives from certain trusted hosts (i.e. only our own reverse proxy)?