Configuring ProxyProtocol for Nginx Ingress on AWS

This post will quickly show you how to enable ProxyProtocol for your Nginx Ingress Controller on AWS.

Assumptions

• You’re using the nginx-ingress Helm Chart and are familiar with deploying to Kubernetes with Helm.
• Your service type for Nginx is a CLB (Classic LoadBalancer - which is the default). As of Kubernetes 1.14, official docs still consider Network Load Balancers to be in Alpha.

All you need to do is add some configuration properties, and a few annotations to your service. These can be toggled on/off even after a LoadBalancer has been created.

Warning

Some applications don’t work well with ProxyProtocol. Be careful.

Steps

In values.yaml, set these:

controller:
  config:
    # use-forwarded-headers: "true"
    # compute-full-forwarded-for: "true"
    # be wary of k8s bug affecting cert-manager with ProxyProtocol
    # https://github.com/jetstack/cert-manager/issues/466
    use-proxy-protocol: "true"

  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

These config properties are automatically injected into ConfigMap NAME_OF_CHART-nginx-ingress-controller in your controller’s namespace.

After deploying these changes, downstream applications will see source IPs.

Further Reading

• Info on Proxy Protocol when doing L4 Load Balancing
• List of Kubernetes annotations and comments supported by AWS.
• Nginx Docs on ProxyProtocol
• K8s/Nginx docs on X-Forwarded-For headers
• Example of custom headers ConfigMap