terraform-ske-nginx-rate-limit/README.md
Mauritz Uphoff ea19003e9c
All checks were successful
CI / TruffleHog Secrets Scan (push) Successful in 4s
CI / Terraform Format & Validate (push) Successful in 5s
Initial commit
2025-05-15 11:02:49 +02:00

2.3 KiB

How to Forward the Real Client IP to the Ingress Controller

When your application is accessed through a Load Balancer, the original client IP may not be visible to your pods unless the TCP Proxy Protocol is enabled and properly configured. STACKIT supports Proxy Protocol version 2. Please follow the steps below to ensure your application and ingress-nginx controller can correctly receive and log the original client IP.

Reference:
Official STACKIT documentation: Load Balancer SKE - TCP Proxy Protocol


1. Configure the Service for Proxy Protocol

The Kubernetes Service of type LoadBalancer must be annotated to enable Proxy Protocol support from STACKIT.

Example:

apiVersion: v1
kind: Service
metadata:
  name: my-proxy-service
  annotations:
    lb.stackit.cloud/tcp-proxy-protocol: "true"
spec:
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  type: LoadBalancer

Note:
Make sure the application behind the Load Balancer is compatible with Proxy Protocol v2. If not, connections might fail or behave unexpectedly.


2. Enable Proxy Protocol on ingress-nginx

Your ingress controller must also be configured to accept Proxy Protocol headers.
This may require special Helm values when deploying ingress-nginx.

  • See how this is done in 07-helm.tf for this repository.
  • In general, for ingress-nginx Helm charts, you will need:
    • controller.config.use-proxy-protocol: "true"
    • Any additional Service annotations as required by your cloud provider and use case.

3. Testing

To load test your endpoint and validate real client IP handling, you can use fortio:

fortio load --qps 50 -t 10s <url from outputs.tf>

Replace <url from outputs.tf> with the Load Balancer or Ingress endpoint output by your Terraform configuration.


Important

  • Proxy Protocol must be enabled on both the Load Balancer service and the ingress/nginx controller.
  • If either is not configured, the original client IP will not be visible within your pods, and may result in errors.
  • Always review the official documentation for your platform and ingress-nginx version.