Enabling ingress-nginx use-forwarded-headers option on subset of ingresses

praseodym · March 2, 2019, 5:52pm

We’re running ingress-nginx with a reverse proxy in front of it, so we enabled the use-forwarded-headers option to ensure that X-Forwarded-* headers from the reverse proxy are passed on to our Kubernetes pods.

Now, we’re considering making some applications (each with their own Kubernetes ingress object defined) directly available without the additional reverse proxy. However, this would make ingress-nginx accept X-Forwarded-* from the public internet, which is clearly a bad idea.

Is there are way to enable the use-forwarded-headers option only for a subset of ingresses, or only when traffic arrives from certain trusted hosts (i.e. only our own reverse proxy)?

aledbf · March 2, 2019, 6:32pm

This is not possible. The use-forwarded-headers option is a global configuration.
Please open an issue requesting the feature in https://github.com/kubernetes/ingress-nginx

rata · March 2, 2019, 11:24pm

Sorry, not sure I follow. Can you please elaborate why it would mean to accept z forward for headers from the internet in the ingress controller?

IIUC, the ingress will receive the traffic directly, right? So you can have the ingress trust the IP from the reverse proxy only and, by doing it:

Traffic from the reverse proxy is resolved to the correct client IP
Traffic coming directly too, as it’s not sent from the reverse proxy IP.

Am I missing something? Can you please explain me?

praseodym · March 3, 2019, 1:08pm

It is a security issue to trust these headers coming from the public internet, as they can be used to e.g. circumvent ACLs. This blog post explains the issues in more detail: Security Rule Zero: A Warning about X-Forwarded-For.

praseodym · March 3, 2019, 1:17pm

Thanks for the reply! I’ve opened an issue: Enable use-forwarded-headers on subset of ingresses or from whitelisted hosts · Issue #3837 · kubernetes/ingress-nginx · GitHub.

rata · March 4, 2019, 6:17pm

Sure, I just don’t see why you can’t trust the proxy IP only.

But I guess I’m missing something in ingress nginx granularity (I don’t use it, so I don’t know it well :))

Isn’t the option to add arbitrary nginx config snippets useful to workaround this?

praseodym · March 4, 2019, 7:19pm

It doesn’t have the granularity, the trusting of forwarded-headers happens in the global http block.

Working around that with nginx config snippets would mean undoing these directives (I’m not sure if that’s easy to do) and potentially having to re-do that for any new ingress-nginx release that touches that logic.

rata · March 5, 2019, 12:16am

Ohh, too bad. Thanks for the link (I’ll peek at it later :))

Topic		Replies	Views
Using nginx ingress annotations to change host header for backend service General Discussions	2	3745	November 29, 2020
New in kubernetes ingress-nginx General Discussions	0	1077	November 7, 2018
How to set X-forwarded-For as a real IP while Proxy Protocol is enabled? (Ingress-Nginx) General Discussions	0	2724	May 24, 2023
Why I should use Ingress instead of simple reverse proxy? General Discussions service , network	1	3035	August 4, 2023
Ingress with an extra reverse proxy (nginx) General Discussions	1	514	July 11, 2023

Enabling ingress-nginx use-forwarded-headers option on subset of ingresses

Related Topics