We were trying to configure the nginx ingress controller to forward the real visitor IP address from a CloudFlare proxied DNS and we managed to achieve it by adding the following parameters in the nginx-ingress-ingress-nginx-controller configmap. However, this deployment is managed by Qovery and probably it can get overwritten.
Do you have any suggestions on how to implement it in a permanent way as it could directly affect our customers?
X-Forwarded-For should already be set. Can you check your application HTTP headers? IP address should be the real one already. Let me know if it’s not.
I’ve exhaustively tested it in my Staging environment and once I’ve turned on Cloudflare Proxied DNS, my application started to receive one of Cloudflare’s IPs Range. The only way that we have found to get the visitor real IP was adding up these changes as recommended by Cloudflare. Restoring original visitor IPs · Cloudflare Support docs
The “Remove visitor IP headers” rule is disabled in Cloudflare. We don’t have the headers logged in our app but I managed to get it using tcpdump inside the pod. So when we don’t have my Nginx Ingress Controller configmap changes, we get this header:
X-Frame-Options: ALLOWALL
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Location: https://pathlms.ai/admin/sign_in
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Request-Id: 2d18e3d3f9ab16b98ec604ad40bf391d
X-Runtime: 0.333381
Transfer-Encoding: chunked
But once I add those settings in the configmap, we receive these headers:
then we will get the visitor real IP. The point is that we need to keep the proxied option, and we enable it we get just the proxy IP from the cloudflare IP range list.
Ok, what we can try is to add an advanced settings for nginx ConfigMap - Ingress-Nginx Controller so you can set it to true.
I am gonna test on my end if that would be working, feel free to try it as well if you can.
If it looks good then we will provide this option as advanced settings.
Update: this solo param use-forwarded-headers is not working, I am looking for the minimal setup to make this work especially without having to specify all CF IPs if any
the enable-real-ip: “true” property did the trick, we managed to get the visitor real IP. We would really appreciate if we could add this in advanced settings.