GETTING EDGY VIDEO SERIES

Getting Edgy: Understanding PROXY Protocol and X-Forwarded-For in Kubernetes

Kelsey Evans
Ambassador Labs
Published in
2 min readOct 28, 2019

In today’s Getting Edgy episode, we talk about the nuances of PROXY protocol and X-Forwarded-For (XFF).

In a typical Kubernetes cluster, traffic flows from the internet through a load balancer to your Kubernetes ingress, which then routes to your different Kubernetes services. Commonly, you want to know the IP address and protocol of your user.

There are two ways to address this challenge:

  1. If your load balancer is running in Layer 4 mode (i.e. TCP connections), the PROXY protocol will share information about the client and pass that information on to your ingress which can then decode the PROXY protocol.
  2. If your load balancer is running in Layer 7 mode, there are special HTTP headers (i.e. x-forwarded-for and x-forwarded-proto) which will give you the IP address and protocol, respectively. This information then gets passed on to your Kubernetes ingress. It’s important to make sure that your Kubernetes ingress supports processing this information so you can do things like log the client’s IP address or redirect a user to HTTPS by having your ingress read the protocol and then issue a redirect.

Learn More

To learn more about PROXY protocol and X-Forwarded-For, check out the following resources:

Sign up to discover human stories that deepen your understanding of the world.

Published in Ambassador Labs

Code, ship, and run apps for Kubernetes faster and easier than ever — powered by Ambassador’s industry-leading developer experience.

No responses yet

Write a response