Ingressgate can't forward the header "x-forwarded-for""

The version of istio I used is 1.45. I found the problem of ingressgate during the use, as follows.

My access form is simply as follows: client - > ingressgate - > service1

 When the client initiates the access, the header carries "x-forward-for". After being forwarded by ingressgate, services1 cannot get "x-forward-for" content. 
 After testing, the ingressgate did not forward the header "x-forwarded-for" at all (bug no problem occurred in other customized headers).

I hope it can be solved

Are you installing Istio using Helm? Try to reinstalling it using the following:

gateways:
  istio-ingressgateway:
    externalTrafficPolicy: Local 

According to your prompt, I modified it as follows:
1)exec command: kubectl edit svc istio-ingressgateway -n istio-system
2) change “Cluster” to “Local”
spec:
clusterIP: 10.245.163.159
externalTrafficPolicy: Local
healthCheckNodePort: 45748

But “x-forward-for” still can’t get 。

Solution, create EnvoyFilter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: rsl-envoyfilter
  namespace: istio-system
spec:
  workloadLabels:
    app: istio-ingressgateway
  filters:
    - listenerMatch:
        portNumber: 58080
        listenerType: GATEWAY
      filterName: envoy.lua
      filterType: HTTP
      filterConfig:
        inlineCode: |
          function envoy_on_request(request_handle)
            local xff_header = request_handle:headers():get("X-Forwarded-For")
            local first_ip = string.gmatch(xff_header, "(%d+.%d+.%d+.%d+)")();
            first_ip = string.gsub(first_ip, ",", "")
            request_handle:headers():add("X-Custom-User-IP", first_ip);
          end

Run the above envoyfilter, and we can get the real IP through request.headers [“x-custom-user-ip”] in the application or rule(mixer) or instance(mixer)

This never seems to work for me in AWS. It’s weird.

I built my own k8s and istio in alicloud and local test environment, and the test can be run。

k8s 1.63
istio 1.5

I have now seen my IP whitelisting work even with the Istio Ingress Gateway set to externalTrafficPolicy: Local and it seems like it was a misconfiguration on my part.