Skip to content

Proper Reporting of End User Public IP Address (NGINX-based Ingress controller)

These instructions describe the Wallarm Ingress controller configuration required to identify an originating IP address of a client (end user) when a controller is placed behind a load balancer.

By default, the Ingress controller assumes that it is directly exposed to the Internet and that the IP addresses of connecting clients are their actual IPs. However, the requests can be passed through the load balancer (e.g. AWS ELB or Google Network Load Balancer) before being sent to the Ingress controller.

In situations when a controller is placed behind a load balancer the Ingress controller considers the load balancer IP to be a real end user IP that can lead to incorrect operation of some Wallarm features. To report proper end user IP addresses to the Ingress controller, please configure the controller as described below.

Step 1: Enable passing the real client IP on the network layer

This feature is highly dependent on the cloud platform being used; in the majority of cases, it can be activated by setting the values.yaml file attribute controller.service.externalTrafficPolicy to the value Local:

controller:
  service:
    externalTrafficPolicy: "Local"

Step 2: Enable Ingress controller to take the value from the X-FORWARDED-FOR HTTP request header

Usually, the load balancers append the HTTP header X-Forwarded-For containing an original client IP address. You can find an exact header name in the load balancer documentation.

Wallarm Ingress controller can take the real end user IP address from this header if the controller values.yaml is configured as follows:

controller:
  config:
    enable-real-ip: "true"
    forwarded-for-header: "X-Forwarded-For"

Other recommendations

Wallarm’s version of the Kubernetes Ingress controller is based on the community-supported NGINX Ingress controller for Kubernetes, so the majority of recommendations found in the official Ingress controller documentation and on the public Internet are also applicable to Wallarm’s Ingress controller.

Recommended reading: