Nginx Rate Limit
209 views
Skip to first unread message
Anant Bhardwaj
Aug 6, 2016, 12:44:13 PM8/6/16
to Kubernetes user discussion and Q&A
We have a nginx service running in LoadBalancer mode in GKE. We wanted to apply nginx rate-limit but $binary_remote_addr is one of the cluster's address, not the real client IP. Would love to get any input on how to get the nginx-pods know the real client ip.
Brian Akins
Aug 6, 2016, 1:06:07 PM8/6/16
to kubernet...@googlegroups.com
Look at the nginx real ip module
http://nginx.org/en/docs/http/ngx_http_realip_module.html
http://nginx.org/en/docs/http/ngx_http_realip_module.html
Sent from my iPhone
We have a nginx service running in LoadBalancer mode in GKE. We wanted to apply nginx rate-limit but $binary_remote_addr is one of the cluster's address, not the real client IP. Would love to get any input on how to get the nginx-pods know the real client ip.
--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
Anant Bhardwaj
Aug 6, 2016, 2:27:29 PM8/6/16
to kubernet...@googlegroups.com
I did set those:
real_ip_header X-Forwarded-For;
set_real_ip_from 10.0.0.0/8;
real_ip_recursive on;
proxy_set_header X-Real-IP $realip_remote_addr;
proxy_set_header X-Remote-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-NginX-Proxy true;
proxy_redirect off;
When I print it in my webapp, I still get the cluster ip.
2016-08-06T18:21:44.673040983Z Accept-Language: en-US,en;q=0.8,ms;q=0.6
2016-08-06T18:21:44.673043845Z X-Real-Ip: 10.112.0.1
2016-08-06T18:21:44.673046728Z User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
2016-08-06T18:21:44.673055659Z X-Requested-With: XMLHttpRequest
2016-08-06T18:21:44.673058414Z X-Nginx-Proxy: true
2016-08-06T18:21:44.673064279Z X-Forwarded-Proto: https
2016-08-06T18:21:44.673067139Z Host: dogfood.gcloud.instabase.com
2016-08-06T18:21:44.673069963Z Accept: */*
2016-08-06T18:21:44.673072661Z X-Forwarded-Host: dogfood.gcloud.instabase.com
2016-08-06T18:21:44.673075479Z X-Forwarded-For: 10.112.0.1
2016-08-06T18:21:44.673078246Z X-Remote-Ip: 10.112.0.1
2016-08-06T18:21:44.673080983Z Accept-Encoding: gzip, deflate, sdch, br
On Sat, Aug 6, 2016 at 10:06 AM, Brian Akins <br...@akins.org> wrote:
Look at the nginx real ip module
http://nginx.org/en/docs/http/ngx_http_realip_module.html
Sent from my iPhone
We have a nginx service running in LoadBalancer mode in GKE. We wanted to apply nginx rate-limit but $binary_remote_addr is one of the cluster's address, not the real client IP. Would love to get any input on how to get the nginx-pods know the real client ip.--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/5A-pqf7q0lw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Rodrigo Campos
Aug 6, 2016, 5:19:38 PM8/6/16
to kubernet...@googlegroups.com
A load balancer service is not at layer 7. Don't know about gke, but you can probably check the lb and see that it is using TCP.
To see the real IP you would have to use a manually configured lb (expose the service as node port and you create the lb using HTTP transport insteadof TCP) or you can also use the ingress.
The ingress is layer 7, there is a controller for gke to use the lb and it uses HTTP/HTTPS.
We have a nginx service running in LoadBalancer mode in GKE. We wanted to apply nginx rate-limit but $binary_remote_addr is one of the cluster's address, not the real client IP. Would love to get any input on how to get the nginx-pods know the real client ip.
--
Reply all
Reply to author
Forward
0 new messages