istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.11/blog/2020/show-source-ip/index.html

275 lines
32 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Proxy protocol on AWS NLB and Istio ingress gateway"><meta name=description content="How to enable proxy protocol on AWS NLB and Istio ingress gateway."><meta name=author content="Xinhui Li (Salesforce)"><meta name=keywords content="microservices,services,mesh,trafficManagement,protocol extending"><meta property="og:title" content="Proxy protocol on AWS NLB and Istio ingress gateway"><meta property="og:type" content="website"><meta property="og:description" content="How to enable proxy protocol on AWS NLB and Istio ingress gateway."><meta property="og:url" content="/v1.11/blog/2020/show-source-ip/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.11 / Proxy protocol on AWS NLB and Istio ingress gateway</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.11/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.11/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.11/feed.xml><link rel="shortcut icon" href=/v1.11/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.11/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.11/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.11/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.11/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.11/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.11/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.11/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.11/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.11/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.11/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.11/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.11/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.11/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.11";const docTitle="Proxy protocol on AWS NLB and Istio ingress gateway";const iconFile="\/v1.11/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.11/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.11/><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.11/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.11/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.11/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.11/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.11/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.11/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.11/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.11/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.11/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.11/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.11/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.11/docs/releases/supported-releases#support-status-of-istio-releases class=banner data-title="Kubernetes 1.22 Release statement-2021-08-04 00:00:00 +0000 UTC" data-period-start=1628035200000 data-period-end=1643587200000 data-max-impressions=8 data-timeout=120><div class=content><p>Kubernetes 1.22 will only work with Istio 1.10 and above. Click here for the supported version table.</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Proxy protocol on AWS NLB and Istio ingress gateway</h1><p>How to enable proxy protocol on AWS NLB and Istio ingress gateway.</p></div><p class=post-author>Dec 11, 2020 <span>|</span> By Xinhui Li - Salesforce</p><div><p>This blog presents my latest experience about how to configure and enable proxy protocol with stack of AWS NLB and Istio Ingress gateway. The <a href=https://www.haproxy.com/blog/haproxy/proxy-protocol/>Proxy Protocol</a> was designed to chain proxies and reverse-proxies without losing the client information. The proxy protocol prevents the need for infrastructure changes or <code>NATing</code> firewalls, and offers the benefits of being protocol agnostic and providing good scalability. Additionally, we also enable the <code>X-Forwarded-For</code> HTTP header in the deployment to make the client IP address easy to read. In this blog, traffic management of Istio ingress is shown with an httpbin service on ports 80 and 443 to demonstrate the use of proxy protocol. Note that both v1 and v2 of the proxy protocol work for the purpose of this example, but because the AWS NLB currently only supports v2, proxy protocol v2 is used in the rest of this blog by default. The following image shows the use of proxy protocol v2 with an AWS NLB.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.11/img/icons.svg#callout-tip"/></svg></div><div class=content><p>A receiver may be configured to support both version 1 and version 2 of the
protocol. Identifying the protocol version is easy:</p><ul><li><p>If the incoming byte count is 16 or more and the first 13 bytes match the protocol signature block <code>\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02</code>, the protocol is version 2.</p></li><li><p>Otherwise, if the incoming byte count is 8 or more, and the 5 first characters match the <code>US-ASCII</code> representation of &ldquo;PROXY&rdquo;(<code>\x50\x52\x4F\x58\x59</code>), then the protocol must be parsed as version 1.</p></li><li><p>Otherwise the protocol is not covered by this specification and the connection must be dropped.</p></li></ul></div></aside></div><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:80.81149619611158%><a data-skipendnotes=true href=/v1.11/blog/2020/show-source-ip/aws-proxy-protocol.png title="AWS NLB portal to enable proxy protocol"><img class=element-to-stretch src=/v1.11/blog/2020/show-source-ip/aws-proxy-protocol.png alt="AWS NLB portal to enable proxy protocol"></a></div><figcaption>AWS NLB portal to enable proxy protocol</figcaption></figure><h2 id=separate-setups-for-80-and-443>Separate setups for 80 and 443</h2><p>Before going through the following steps, an AWS environment that is configured with the proper VPC, IAM, and Kubernetes setup is assumed.</p><h3 id=step-1-install-istio-with-aws-nlb>Step 1: Install Istio with AWS NLB</h3><p>The blog <a href=/v1.11/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a> provides detailed steps to set up AWS IAM roles and enable the usage of AWS NLB by Helm. You can also use other automation tools, such as Terraform, to achieve the same goal. In the following example, more complete configurations are shown in order to enable proxy protocol and <code>X-Forwarded-For</code> at the same time.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: &#34;*&#34;
service.beta.kubernetes.io/aws-load-balancer-type: &#34;nlb&#34;
proxy.istio.io/config: &#39;{&#34;gatewayTopology&#34; : { &#34;numTrustedProxies&#34;: 2 } }&#39;
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
name: istio-ingressgateway
</code></pre><h3 id=step-2-create-proxy-protocol-envoy-filter>Step 2: Create proxy-protocol Envoy Filter</h3><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: proxy-protocol
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.filters.listener.proxy_protocol
- name: envoy.filters.listener.tls_inspector
</code></pre><h3 id=step-3-enable-x-forwarded-for-header>Step 3: Enable <code>X-Forwarded-For</code> header</h3><p>This <a href=/v1.11/docs/ops/configuration/traffic-management/network-topologies/>blog</a> includes several samples of configuring Gateway Network Topology. In the following example, the configurations are tuned to enable <code>X-Forwarded-For</code> without any middle proxy.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-settings
namespace: istio-system
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
listener:
filterChain:
filter:
name: envoy.http_connection_manager
patch:
operation: MERGE
value:
name: envoy.http_connection_manager
typed_config:
&#34;@type&#34;: type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
skip_xff_append: false
use_remote_address: true
xff_num_trusted_hops: 1
</code></pre><h3 id=step-4-deploy-ingress-gateway-for-httpbin-on-port-80-and-443>Step 4: Deploy ingress gateway for httpbin on port 80 and 443</h3><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.11/img/icons.svg#callout-warning"/></svg></div><div class=content>When following the <a href=/v1.11/docs/tasks/traffic-management/ingress/secure-ingress/>secure ingress setup</a>, macOS users must add an additional patch to generate certificates for TLS.</div></aside></div><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /headers
route:
- destination:
port:
number: 8000
host: httpbin
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway2
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-credential # must be the same as secret
hosts:
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
gateways:
- mygateway2
http:
- match:
- uri:
prefix: /headers
route:
- destination:
port:
number: 8000
host: httpbin
</code></pre><h3 id=step-5-check-header-output-of-httpbin>Step 5: Check header output of httpbin</h3><p>Check port 443 (80 will be similar) and compare the cases with and without proxy protocol.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>//////with proxy_protocal enabled in the stack
* Trying YY.XXX.141.26...
* TCP_NODELAY set
* Connection failed
* connect to YY.XXX.141.26 port 443 failed: Operation timed out
* Trying YY.XXX.205.117...
* TCP_NODELAY set
* Connected to a25fa0b4835b.elb.us-west-2.amazonaws.com (XX.YYY.205.117) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: new_certificates/example.com.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=a25fa0b4835b.elb.us-west-2.amazonaws.com; O=httpbin organization
* start date: Oct 29 20:39:12 2020 GMT
* expire date: Oct 29 20:39:12 2021 GMT
* common name: a25fa0b4835b.elb.us-west-2.amazonaws.com (matched)
* issuer: O=example Inc.; CN=example.com
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc6c8810800)
&gt; GET /headers?show_env=1 HTTP/2
&gt; Host: a25fa0b4835b.elb.us-west-2.amazonaws.com
&gt; User-Agent: curl/7.64.1
&gt; Accept: */*
&gt;
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
&lt; HTTP/2 200
&lt; server: istio-envoy
&lt; date: Thu, 29 Oct 2020 21:39:46 GMT
&lt; content-type: application/json
&lt; content-length: 629
&lt; access-control-allow-origin: *
&lt; access-control-allow-credentials: true
&lt; x-envoy-upstream-service-time: 2
&lt;
{
&#34;headers&#34;: {
&#34;Accept&#34;: &#34;*/*&#34;,
&#34;Content-Length&#34;: &#34;0&#34;,
&#34;Host&#34;: &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;,
&#34;User-Agent&#34;: &#34;curl/7.64.1&#34;,
&#34;X-B3-Sampled&#34;: &#34;0&#34;,
&#34;X-B3-Spanid&#34;: &#34;74f99a1c6fc29975&#34;,
&#34;X-B3-Traceid&#34;: &#34;85db86fe6aa322a074f99a1c6fc29975&#34;,
&#34;X-Envoy-Attempt-Count&#34;: &#34;1&#34;,
&#34;X-Envoy-Decorator-Operation&#34;: &#34;httpbin.default.svc.cluster.local:8000/headers*&#34;,
&#34;X-Envoy-External-Address&#34;: &#34;XX.110.54.41&#34;,
&#34;X-Forwarded-For&#34;: &#34;XX.110.54.41&#34;,
&#34;X-Forwarded-Proto&#34;: &#34;https&#34;,
&#34;X-Request-Id&#34;: &#34;5c3bc236-0c49-4401-b2fd-2dbfbce506fc&#34;
}
}
* Connection #0 to host a25fa0b4835b.elb.us-west-2.amazonaws.com left intact
* Closing connection 0
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>//////////without proxy_protocal
* Trying YY.XXX.141.26...
* TCP_NODELAY set
* Connection failed
* connect to YY.XXX.141.26 port 443 failed: Operation timed out
* Trying YY.XXX.205.117...
* TCP_NODELAY set
* Connected to a25fa0b4835b.elb.us-west-2.amazonaws.com (YY.XXX.205.117) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: new_certificates/example.com.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=a25fa0b4835b.elb.us-west-2.amazonaws.com; O=httpbin organization
* start date: Oct 29 20:39:12 2020 GMT
* expire date: Oct 29 20:39:12 2021 GMT
* common name: a25fa0b4835b.elb.us-west-2.amazonaws.com (matched)
* issuer: O=example Inc.; CN=example.com
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fbf8c808200)
&gt; GET /headers?show_env=1 HTTP/2
&gt; Host: a25fa0b4835b.elb.us-west-2.amazonaws.com
&gt; User-Agent: curl/7.64.1
&gt; Accept: */*
&gt;
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
&lt; HTTP/2 200
&lt; server: istio-envoy
&lt; date: Thu, 29 Oct 2020 20:44:01 GMT
&lt; content-type: application/json
&lt; content-length: 612
&lt; access-control-allow-origin: *
&lt; access-control-allow-credentials: true
&lt; x-envoy-upstream-service-time: 1
&lt;
{
&#34;headers&#34;: {
&#34;Accept&#34;: &#34;*/*&#34;,
&#34;Content-Length&#34;: &#34;0&#34;,
&#34;Host&#34;: &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;,
&#34;User-Agent&#34;: &#34;curl/7.64.1&#34;,
&#34;X-B3-Sampled&#34;: &#34;0&#34;,
&#34;X-B3-Spanid&#34;: &#34;69913a6e6e949334&#34;,
&#34;X-B3-Traceid&#34;: &#34;729d5da3618545da69913a6e6e949334&#34;,
&#34;X-Envoy-Attempt-Count&#34;: &#34;1&#34;,
&#34;X-Envoy-Decorator-Operation&#34;: &#34;httpbin.default.svc.cluster.local:8000/headers*&#34;,
&#34;X-Envoy-Internal&#34;: &#34;true&#34;,
&#34;X-Forwarded-For&#34;: &#34;172.16.5.30&#34;,
&#34;X-Forwarded-Proto&#34;: &#34;https&#34;,
&#34;X-Request-Id&#34;: &#34;299c7f8a-5f89-480a-82c9-028c76d45d84&#34;
}
}
* Connection #0 to host a25fa0b4835b.elb.us-west-2.amazonaws.com left intact
* Closing connection 0
</code></pre><h2 id=conclusion>Conclusion</h2><p>This blog presents the deployment of a stack that consists of an AWS NLB and Istio ingress gateway that are enabled with proxy-protocol. We hope it is useful to you if you are interested in protocol enabling in an anecdotal, experiential, and more informal way. However, note that the <code>X-Forwarded-For</code> header should be used only for the convenience of reading in test, as dealing with fake <code>X-Forwarded-For</code> attacks is not within the scope of this blog.</p><h2 id=references>References</h2><ul><li><p><a href=https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/>protocol settings</a></p></li><li><p><a href=https://www.haproxy.com/blog/haproxy/proxy-protocol/>protocol introduction</a></p></li></ul></div><nav class=pagenav><div class=left><a title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh." href=/v1.11/blog/2020/proxying-legacy-services-using-egress-gateways/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.11/img/icons.svg#left-arrow"/></svg>Proxying legacy services using Istio egress gateways</a></div><div class=right><a title="The inaugural conference for Istio will take place at the end of February." href=/v1.11/blog/2020/istiocon-2021/ class=next-link>Join us for the first IstioCon in 2021!<svg class="icon right-arrow"><use xlink:href="/v1.11/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.11/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.11/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.11/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.11/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.11/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.11/><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371 7.869 7.869.0 013.066-4.178 9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.11/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.11/content/en/blog/2020/show-source-ip/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2021 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.11.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2020\/show-source-ip\/');return false;">current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2020\/show-source-ip\/');return false;">next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link role=menuitem href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.11/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink