ovhapache-apisixreal-ip

APISIX real ip behind an OVH LoadBalancer (Kubernetes)


I'm currently working on configuring my API Gateway, specifically Apisix in an OVH managed cluster, which I've deployed via Helm, to ensure that it forwards the real client IP addresses instead of the IP of the load balancer.

I found a tutorial for achieving this with a random Nginx controller here. However, I'm unsure about how to implement the same functionality with Apisix.

I noticed there's a real-ip plugin available for Apisix. Would configuring the annotation along with this plugin be sufficient for achieving the desired behavior? If not, what additional steps or configurations would be necessary to ensure Apisix forwards the real client IP addresses?

Thank you for any assistance or guidance provided.


Solution

  • After meddling around a bit, here is the way to achieve a real-ip setup with apisix on Kubernetes in an OVH cluster.

    1. Begin by adding the OVH annotation to the load balancer (apisix-gateway) in your Kubernetes cluster:
    metadata:
      annotations:
        service.beta.kubernetes.io/ovh-loadbalancer-proxy-protocol: "v2"
    spec:
      externalTrafficPolicy: Local
    

    With this annotation, all traffic routed to your Apisix gateway will be wrapped by the proxy protocol.

    1. Next, configure Apisix to handle the proxy protocol. By default, HTTP traffic is directed to port 9080 and HTTPS to port 9443. If you deployed Apisix using the provided Helm chart, you can adjust these settings in the configmap object named "apisix":
    apisix:
      node_listen:
        - 9081
      proxy_protocol:
        listen_http_port: 9080
        listen_https_port: 9443
        enable_tcp_pp: true
        enable_tcp_pp_to_upstream: true
      ssl:
        enable: true
        listen:
          - port: 9444
    
    1. Lastly, set the real-ip plugin globally to use the NGINX variable from the proxy protocol as the real IP:
    {"source":"proxy_protocol_addr","_meta":{"disable":false}}
    

    By following these steps, you'll be able to capture the real IP behind the OVH Kubernetes load balancer effectively.