How to get real ip client with x-forwarded-for header

[Vinaum8]

Hello NGINX Ingress Controller Team,
I’m encountering an issue with the $remote_addr variable and would like some guidance on how to solve it.
Here is my current ConfigMap configuration:

use-forwarded-headers: "true"
real-ip-header: "X-Forwarded-For"
enable-real-ip: "true"
compute-full-forwarded-for: "false"
use-proxy-protocol: "true"
forwarded-for-header: "X-Forwarded-For"

My log format is as follows:

"remote_addr": "$remote_addr",
"x_forwarded_for": "$proxy_add_x_forwarded_for",

However, in my actual logs, I’m seeing these values:

"remote_addr": "XXXX:XXXX:XX:1300:4297:6db2:66f0:XXXX",
"x_forwarded_for": "187.72.XX.XXX, XXXX:XXXX:XX:1300:4297:6db2:66f0:XXXX"

The issue is that $remote_addr is taking the last value from the X-Forwarded-For header, but the real client IP is the first value in that header.
What would be the correct configuration or approach to ensure that $remote_addr captures the first IP in the X-Forwarded-For header instead of the last one?

I would like to use the $remote_addr variable with the annotation nginx.ingress.kubernetes.io/whitelist-source-range and stop using snippets.
Any help or guidance would be greatly appreciated!
Thank you! (edited)

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Vinaum8]

Helm chart version:
repoURL: https://kubernetes.github.io/ingress-nginx
version: 4.12.0
Controller version: Image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
Cloud: AWS
Load balancer: NLB

[alphabet5]

You can trust proxies using proxy-real-ip-cidr.

For example, I list rfc1918 space (internal proxies) as well as cloudflare ranges to trust.

Instead of X-Forwarded-For I use CF-Connecting-IP, for separate reasons, but here's an example config.

spec:
  values:
    controller:
      config:
        proxy-real-ip-cidr: "10.0.0.0/8,173.245.48.0/20,..."
        use-forwarded-headers: "true"
        enable-real-ip: "true"
        forwarded-for-header: "CF-Connecting-IP"
...

ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-real-ip-cidr

[Vinaum8]

You can trust proxies using proxy-real-ip-cidr.

For example, I list rfc1918 space (internal proxies) as well as cloudflare ranges to trust.

Instead of X-Forwarded-For I use CF-Connecting-IP, for separate reasons, but here's an example config.

spec:
values:
controller:
config:
proxy-real-ip-cidr: "10.0.0.0/8,173.245.48.0/20,..."
use-forwarded-headers: "true"
enable-real-ip: "true"
forwarded-for-header: "CF-Connecting-IP"
...

ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-real-ip-cidr

I GOT IT!!!
After commenting on this link, everything worked.
I needed to allow my proxy addresses to edit the header.

Thanks my brother!! @alphabet5

[Vinaum8]

Anyway, I needed to set:

server-snippet: |
real_ip_header CF-Connecting-IP;

with allow-snippet-annotations: 'true', if I remove this, the cloudflare addresses appear again in the $remote_addr result

[alphabet5]

forwarded-for-header: "CF-Connecting-IP" should do the same thing - setting real_ip_header in the resulting nginx.conf

This is the nginx.conf in a controller with the above set in the helm chart ^

:/etc/nginx$ cat nginx.conf | grep real_ip_header
	real_ip_header      CF-Connecting-IP;

[Vinaum8]

forwarded-for-header: "CF-Connecting-IP" should do the same thing - setting real_ip_header in the resulting nginx.conf

This is the nginx.conf in a controller with the above set in the helm chart ^

:/etc/nginx$ cat nginx.conf | grep real_ip_header
	real_ip_header      CF-Connecting-IP;

I will test it, thank you very much.

[Vinaum8]

It worked here.
I was able to completely disable the use of snippets in nginx ingress and validate with whitelist.
Avoiding the risks: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/

Thank you very much for your help.