Ingressgate can't forward the header "x-forwarded-for""

The version of istio I used is 1.45. I found the problem of ingressgate during the use, as follows.

My access form is simply as follows: client - > ingressgate - > service1

 When the client initiates the access, the header carries "x-forward-for". After being forwarded by ingressgate, services1 cannot get "x-forward-for" content. 
 After testing, the ingressgate did not forward the header "x-forwarded-for" at all (bug no problem occurred in other customized headers).

I hope it can be solved

Are you installing Istio using Helm? Try to reinstalling it using the following:

    externalTrafficPolicy: Local 

According to your prompt, I modified it as follows:
1)exec command: kubectl edit svc istio-ingressgateway -n istio-system
2) change “Cluster” to “Local”
externalTrafficPolicy: Local
healthCheckNodePort: 45748

But “x-forward-for” still can’t get 。

Solution, create EnvoyFilter:

kind: EnvoyFilter
  name: rsl-envoyfilter
  namespace: istio-system
    app: istio-ingressgateway
    - listenerMatch:
        portNumber: 58080
        listenerType: GATEWAY
      filterName: envoy.lua
      filterType: HTTP
        inlineCode: |
          function envoy_on_request(request_handle)
            local xff_header = request_handle:headers():get("X-Forwarded-For")
            local first_ip = string.gmatch(xff_header, "(%d+.%d+.%d+.%d+)")();
            first_ip = string.gsub(first_ip, ",", "")
            request_handle:headers():add("X-Custom-User-IP", first_ip);

Run the above envoyfilter, and we can get the real IP through request.headers [“x-custom-user-ip”] in the application or rule(mixer) or instance(mixer)

This never seems to work for me in AWS. It’s weird.

I built my own k8s and istio in alicloud and local test environment, and the test can be run。

k8s 1.63
istio 1.5

I have now seen my IP whitelisting work even with the Istio Ingress Gateway set to externalTrafficPolicy: Local and it seems like it was a misconfiguration on my part.