Skip to main content

Using PROXY protocol in Managed Kubernetes cluster

For your information

The PROXY protocol works correctly only with Managed Kubernetes clusters of version 1.21.10 or higher. You can upgrade the cluster version.

For your information

This is a guide for configuring access via the Nginx Ingress Controller.

  1. Download the ingresscontroller.yaml manifest.

  2. Make changes to the manifest fields that are marked with the [EDIT]: tag:

    • enable PROXY protocol:
    config:
        use-proxy-protocol: true
    • create a Service with the following parameters:
    type: LoadBalancer
    externalTrafficPolicy: Cluster
    annotations:
        loadbalancer.openstack.org/proxy-protocol: "true"

    Do not change the value of the externalTrafficPolicy parameter.

  3. Install the Helm package manager.

  4. Optional: add the ingress-nginx repository to Helm and update it:

    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
    helm repo update

  5. Create an Ingress Controller using the manifest from step 1:

    helm install ingress-nginx/ingress-nginx --values ingresscontroller.yaml --generate-name

  6. Check that the Ingress Controller is installed:

    kubectl get svc

    The command output should contain an external IP address with the nip.io suffix:

    NAME                  TYPE         CLUSTER-IP    EXTERNAL-IP          PORT(S)                    AGE
    ingress-nginx-ingress LoadBalancer 10.100.100.100 123.123.123.123.nip.io 80:31039/TCP,443:31667/TCP 103s

  7. Create a test deployment of the echo server:

    cat <<EOF | kubectl apply -f -
    apiVersion: apps/v1
    kind: Deployment
    metadata:
        name: echoserver
        namespace: default
        labels:
          app: echoserver
    spec:
        replicas: 1
        selector:
          matchLabels:
            app: echoserver
        template:
          metadata:
            labels:
              app: echoserver
          spec:
            containers:
            - name: echoserver
              image: gcr.io/google-containers/echoserver:1.10
              imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 8080
    EOF

  8. Create a Service for the echo server:

    kubectl expose deployment echoserver --type=ClusterIP --target-port=8080

  9. Create an Ingress rule for the echo server Service:

    cat <<EOF | kubectl apply -f -
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
        name: test-proxy-protocol
        namespace: default
    spec:
        ingressClassName: "nginx"
        rules:
          - host: test.com
            http:
              paths:
              - path: /ping
                pathType: Exact
                backend:
                  service:
                    name: echoserver
                    port:
                      number: 8080
    EOF

  10. Check the Ingress:

    kubectl get ing

    Command output (the IP address may take some time to appear):

    NAME                HOSTS    ADDRESS                PORTS AGE
    test-proxy-protocol test.com 123.123.123.123.nip.io 80    2s

  11. Check the connection:

    ip=123.123.123.123.nip.io
    curl -sH 'Host: test.com' http://$ip/ping | sed '/^\s*$/d'

    Command output:

    Hostname: echoserver-5c79dc5747-txwnz
    Pod Information:
            -no pod information available-
    Server values:
            server_version=nginx: 1.13.3 - lua: 10008
    Request Information:
            client_address=10.10.10.31
            method=GET
            real path=/ping
            query=
            request_version=1.1
            request_scheme=http
            request_uri=http://test.com:8080/ping
    Request Headers:
            accept=*/*
            connection=close
            host=test.com
            user-agent=curl/7.74.0
            x-forwarded-for=<xxx>
            x-forwarded-host=test.com
            x-forwarded-port=80
            x-forwarded-proto=http
            x-real-ip=<xxx>
    Request Body:
            -no body in request-