Having problems with CloudFlare sending HTTP/2 requests to our system, we changed the traffic to go directly to the gateway rather than via Cloudflare.
Cloudflare added X-Forwarded-For header and providing the connecting client IP address, however, now when using the gateway exposed directly with https we no longer get the client ip address, rather the address of the connecting pod (downstream) or something like that.
Having followed the instructions in the documentation I have not got any success to get the IP address in any shape or form to the service running the pod.
Dumping the headers when accessing the server gives me this:
host: host.example.com
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
cache-control: max-age=0
te: trailers
x-forwarded-for: 10.244.0.12
x-forwarded-proto: https
x-request-id: 13446225-0965-4252-af81-eeb40980600c
x-envoy-attempt-count: 1
content-length: 0
x-envoy-internal: true
x-forwarded-client-cert: By=spiffe://cluster.local/ns/host.example/sa/default;Hash=aec9e23mahnamana8a7545c23623a21a39666d9029d8c6936ebe5d2d3a1;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
x-b3-traceid: eb7c5ad8b31cfe119fda45adacd0300e
x-b3-spanid: 6f3de7b4cfab2cc0
x-b3-parentspanid: 9fda45adacd0300e
x-b3-sampled: 0
I have tried all and any combinations of:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
gatewayTopology:
numTrustedProxies: 2 //0 , 1 , 2, 3..
But still no external IP. I have also restarted the affected deployments and the ingress-gateway to make sure all components have go the new settings.
In some combinations, I randomly get the 10. address and the external ip address of the actual physical server running the kubernetes node, nothing which is really used in any settings on the system. I have never managed to get the “connecting” ip address here.
What is the simplest way to get this to work?
Is there something fundamental I am missing out on here?
Version 1.9.2 running on managed kubernetes at DigitalOcean.
Thanks for any help,
Erik