CODEWITHSUNDEEP
ovhapache-apisixreal-ip
Antoine Dussarps
Antoine Dussarps

Reputation: 496

APISIX real ip behind an OVH LoadBalancer (Kubernetes)

I'm currently working on configuring my API Gateway, specifically Apisix in an OVH managed cluster, which I've deployed via Helm, to ensure that it forwards the real client IP addresses instead of the IP of the load balancer.

I found a tutorial for achieving this with a random Nginx controller here. However, I'm unsure about how to implement the same functionality with Apisix.

I noticed there's a real-ip plugin available for Apisix. Would configuring the annotation along with this plugin be sufficient for achieving the desired behavior? If not, what additional steps or configurations would be necessary to ensure Apisix forwards the real client IP addresses?

Thank you for any assistance or guidance provided.

Upvotes: 0

Views: 465

Answers (2)

Kamelj
Kamelj

Reputation: 156

Thank you. Troubleshooting why it was not working took too long. I always got the internal pods' IPs only!

Finally, after I changed the config in Apisix Service it worked

externalTrafficPolicy: Local

Upvotes: 1

Antoine Dussarps
Antoine Dussarps

Reputation: 496

After meddling around a bit, here is the way to achieve a real-ip setup with apisix on Kubernetes in an OVH cluster.

  1. Begin by adding the OVH annotation to the load balancer (apisix-gateway) in your Kubernetes cluster:
metadata:
  annotations:
    service.beta.kubernetes.io/ovh-loadbalancer-proxy-protocol: "v2"
spec:
  externalTrafficPolicy: Local

With this annotation, all traffic routed to your Apisix gateway will be wrapped by the proxy protocol.

  1. Next, configure Apisix to handle the proxy protocol. By default, HTTP traffic is directed to port 9080 and HTTPS to port 9443. If you deployed Apisix using the provided Helm chart, you can adjust these settings in the configmap object named "apisix":
apisix:
  node_listen:
    - 9081
  proxy_protocol:
    listen_http_port: 9080
    listen_https_port: 9443
    enable_tcp_pp: true
    enable_tcp_pp_to_upstream: true
  ssl:
    enable: true
    listen:
      - port: 9444
  1. Lastly, set the real-ip plugin globally to use the NGINX variable from the proxy protocol as the real IP:
{"source":"proxy_protocol_addr","_meta":{"disable":false}}

By following these steps, you'll be able to capture the real IP behind the OVH Kubernetes load balancer effectively.

Upvotes: 2

Related Questions