professional-service-best-practices/terraform-ske-nginx-rate-limit
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
terraform-ske-nginx-rate-limit/README.md
Mauritz Uphoff ea19003e9c
All checks were successful
CI / TruffleHog Secrets Scan (push) Successful in 4s
Details
CI / Terraform Format & Validate (push) Successful in 5s
Details
Initial commit
2025-05-15 11:02:49 +02:00

68 lines
No EOL
2.3 KiB
Markdown
Raw Permalink Blame History

# How to Forward the Real Client IP to the Ingress Controller
When your application is accessed through a Load Balancer, the original client IP may not be visible to your pods unless the **TCP Proxy Protocol** is enabled and properly configured.
STACKIT supports Proxy Protocol version 2. Please follow the steps below to ensure your application and ingress-nginx controller can correctly receive and log the original client IP.
**Reference:**
Official STACKIT documentation: [Load Balancer SKE - TCP Proxy Protocol](https://docs.stackit.cloud/stackit/en/load-balancer-ske-28476594.html#LoadBalancerSKE-TCPProxyProtocol)
---
## 1. Configure the Service for Proxy Protocol
The Kubernetes `Service` of type `LoadBalancer` must be annotated to enable Proxy Protocol support from STACKIT.
**Example:**
```yaml
apiVersion: v1
kind: Service
metadata:
name: my-proxy-service
annotations:
lb.stackit.cloud/tcp-proxy-protocol: "true"
spec:
selector:
app: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: LoadBalancer
```
**Note:**
Make sure the application behind the Load Balancer is compatible with Proxy Protocol v2. If not, connections might fail or behave unexpectedly.
---
## 2. Enable Proxy Protocol on ingress-nginx
Your ingress controller must also be configured to accept Proxy Protocol headers.
This may require special Helm values when deploying ingress-nginx.
- See how this is done in [07-helm.tf](07-helm.tf) for this repository.
- In general, for ingress-nginx Helm charts, you will need:
- `controller.config.use-proxy-protocol: "true"`
- Any additional Service annotations as required by your cloud provider and use case.
---
## 3. Testing
To load test your endpoint and validate real client IP handling, you can use [`fortio`](https://fortio.org/):
```sh
fortio load --qps 50 -t 10s <url from outputs.tf>
```
Replace `<url from outputs.tf>` with the Load Balancer or Ingress endpoint output by your Terraform configuration.
---
## Important
- Proxy Protocol must be enabled on **both** the Load Balancer service **and** the ingress/nginx controller.
- If either is not configured, the original client IP will not be visible within your pods, and may result in errors.
- Always review the official documentation for your platform and ingress-nginx version.
---
Reference in a new issue View git blame Copy permalink