Enabling ingress-nginx use-forwarded-headers option on subset of ingresses


#1

We’re running ingress-nginx with a reverse proxy in front of it, so we enabled the use-forwarded-headers option to ensure that X-Forwarded-* headers from the reverse proxy are passed on to our Kubernetes pods.

Now, we’re considering making some applications (each with their own Kubernetes ingress object defined) directly available without the additional reverse proxy. However, this would make ingress-nginx accept X-Forwarded-* from the public internet, which is clearly a bad idea.

Is there are way to enable the use-forwarded-headers option only for a subset of ingresses, or only when traffic arrives from certain trusted hosts (i.e. only our own reverse proxy)?


#2

This is not possible. The use-forwarded-headers option is a global configuration.
Please open an issue requesting the feature in https://github.com/kubernetes/ingress-nginx


#3

Sorry, not sure I follow. Can you please elaborate why it would mean to accept z forward for headers from the internet in the ingress controller?

IIUC, the ingress will receive the traffic directly, right? So you can have the ingress trust the IP from the reverse proxy only and, by doing it:

  • Traffic from the reverse proxy is resolved to the correct client IP

  • Traffic coming directly too, as it’s not sent from the reverse proxy IP.

Am I missing something? Can you please explain me? :slight_smile:


#4

It is a security issue to trust these headers coming from the public internet, as they can be used to e.g. circumvent ACLs. This blog post explains the issues in more detail: https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for.


#5

Thanks for the reply! I’ve opened an issue: https://github.com/kubernetes/ingress-nginx/issues/3837.


#6

Sure, I just don’t see why you can’t trust the proxy IP only.

But I guess I’m missing something in ingress nginx granularity (I don’t use it, so I don’t know it well :))

Isn’t the option to add arbitrary nginx config snippets useful to workaround this?


#7

It doesn’t have the granularity, the trusting of forwarded-headers happens in the global http block.

Working around that with nginx config snippets would mean undoing these directives (I’m not sure if that’s easy to do) and potentially having to re-do that for any new ingress-nginx release that touches that logic.


#8

Ohh, too bad. Thanks for the link (I’ll peek at it later :))