Skip to main content

Use PROXY protocol in a Managed Kubernetes cluster for Traefik Ingress Controller

You can configure the use of the PROXY protocol in an existing load balancer.

If you connect to a pod through a load balancer with a TCP → PROXY rule, the pod logs will show the real IP address of the client, not the load balancer's address.

  1. Ensure that the Managed Kubernetes cluster version is 1.21.10 or higher:

    kubectl version

    You can upgrade the cluster version.

  2. Connect to the cluster.

  3. Retrieve the Traefik Ingress Controller values and save them to a values.yaml file:

    helm inspect values traefik/traefik > values.yaml
  4. Make changes to the values.yaml file:

    4.1. In the annotations block, add loadbalancer.openstack.org/proxy-protocol: "true".

    4.2. Optional: to allow connection without a TLS certificate, add insecure: true to the proxyProtocol block.

    4.3. Save your changes.

  5. Update Traefik Ingress Controller:

    helm upgrade traefik traefik/traefik --values values.yaml
  6. Create a test echo server Deployment object. For example:

    cat <<EOF | kubectl apply -f -
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: echoserver
    namespace: default
    labels:
    app: echoserver
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: echoserver
    template:
    metadata:
    labels:
    app: echoserver
    spec:
    containers:
    - name: echoserver
    image: gcr.io/google-containers/echoserver:1.10
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 8080
    EOF
  7. Create a ClusterIP Service object for the echo server:

    kubectl expose deployment echoserver --type=ClusterIP --target-port=8080
  8. Create an Ingress object for the echo server. For example:

    cat <<EOF | kubectl apply -f -
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
    name: test-proxy-protocol
    namespace: default
    annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
    spec:
    ingressClassName: "traefik"
    rules:
    - host: test.com
    http:
    paths:
    - path: /ping
    pathType: Exact
    backend:
    service:
    name: echoserver
    port:
    number: 8080
    EOF
  9. Check the Ingress object:

    kubectl get ing

    Information about the Ingress object will appear in the response. The IP address may not appear immediately. For example:

    NAME CLASS HOSTS ADDRESS PORTS AGE
    test-proxy-protocol traefik test.com 123.123.123.123 80 5s

    Copy the IP address of the Ingress object.

  10. Check the connection:

    ip=<ip_address>
    curl -sH 'Host: test.com' http://$ip/ping | sed '/^\s*$/d'

    Specify <ip_address> — the IP address of the Ingress object that you copied in step 9. If you are using Managed Kubernetes cluster version 1.31 or lower, add the nip.io suffix to the address, for example 123.123.123.123.nip.io.

    Connection information will appear in the response. For example:

    Hostname: echoserver-78d689cddd-5bmnk
    Pod Information:
    -no pod information available-
    Server values:
    server_version=nginx: 1.13.3 - lua: 10008
    Request Information:
    client_address=10.10.246.7
    method=GET
    real path=/ping
    query=
    request_version=1.1
    request_scheme=http
    request_uri=http://test.com:8080/ping
    Request Headers:
    accept=*/*
    accept-encoding=gzip
    host=test.com
    user-agent=curl/8.7.1
    x-forwarded-for=<xxx>
    x-forwarded-host=test.com
    x-forwarded-port=80
    x-forwarded-proto=http
    x-forwarded-server=traefik-54dc77dc47-zd8px
    x-real-ip=<xxx>
    Request Body:
    -no body in request-