Configuring ProxyProtocol for Nginx Ingress on AWS

This post will quickly show you how to enable ProxyProtocol for your Nginx Ingress Controller on AWS.

Assumptions

All you need to do is add some configuration properties, and a few annotations to your service. These can be toggled on/off even after a LoadBalancer has been created.

Warning

Some applications don’t work well with ProxyProtocol. Be careful.

Steps

In values.yaml, set these:

controller:
  config:
    # use-forwarded-headers: "true"
    # compute-full-forwarded-for: "true"
    # be wary of k8s bug affecting cert-manager with ProxyProtocol
    # https://github.com/jetstack/cert-manager/issues/466
    use-proxy-protocol: "true"

  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

These config properties are automatically injected into ConfigMap NAME_OF_CHART-nginx-ingress-controller in your controller’s namespace.

After deploying these changes, downstream applications will see source IPs.

Further Reading

This is a preview of Clap Button, a new feedback and analytics tools for Hydejack, built by yours truly. You can try it out on localhost for free, but it will be removed (together with this message) when building with JEKYLL_ENV=production. To use Clap Button on your site, get a subscription
and set clap_button: true in your config file.


© 2021. All rights reserved.