Introduction
The X-Forwarded-For (XFF) HTTP header is used to identify the originating IP address of a client that connects to a web server through a load balancer, or other intermediary devices. In a Consul cluster running on Kubernetes with an Consul API Gateway, the XFF header can be extremely useful in maintaining the real client IP information as the traffic passes through a proxy.
Use Case
In a Consul Service Mesh running in a Kubernetes environment with a Consul API Gateway, it is common to use Envoy proxies between external clients and internal services. By using the X-Forwarded-For header, you can preserve the original client IP address as traffic flows through the Consul API Gateway into the Consul service mesh.
Procedure
Below is an example of configuring the X-Forwarded-For header in a Consul cluster using an HTTPRoute in an API Gateway setup. This config adds the X-Forwarded-For header to requests before routing them to internal services.
- Example Config involving a demo application named, frontend.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: frontend-route
spec:
parentRefs:
- name: api-gateway
rules:
- backendRefs:
- kind: Service
name: frontend
namespace: consul
port: 9090
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
add:
- name: x-forwarded-for
value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
Logging for x-forwarded-for info
When an external application makes a call to webserver application (eg: Frontend) in the mesh behind an api-gateway, the x-forwarded-for header information gets recorded and can be found in the envoy sidecar logs of the webserver application (eg: frontend), as shown below.
2024-09-24T05:58:56.815Z+00:00 [debug] envoy.rbac(25) checking request: requestedServerName: , sourceIP: 10.42.0.13:52262, directRemoteIP: 10.42.0.13:52262, remoteIP: │
│ ':path', '/favicon.ico' │
│ ':method', 'GET' │
│ ':scheme', 'http' │
│ 'user-agent', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36' │
│ 'accept', 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8' │
│ 'referer', 'http://192.168.105.6:8090/' │
│ 'accept-encoding', 'gzip, deflate' │
│ 'accept-language', 'en-GB,en-US;q=0.9,en;q=0.8' │
│ 'x-count', '2' │
│ 'x-forwarded-proto', 'http' │
│ 'x-request-id', 'decdafef-2db1-4500-a7d8-94249cd6bf06' │
│ 'x-envoy-expected-rq-timeout-ms', '15000' │
│ 'x-forwarded-for', '10.42.0.1' │
│ 'x-envoy-internal', 'true' │
│ 'x-forwarded-client-cert', 'By=spiffe://180f4e8c-442b-7543-fda9-b066853843cd.consul/ns/default/dc/dc1/svc/frontend;Hash=29e890d46d265d3ff78cf60187039ba7c23680a3bbec60 │
│ , dynamicMetadata
Conclusion
The X-Forwarded-For header is an essential component in maintaining the true client IP as traffic flows through an API Gateway into a Consul service mesh on Kubernetes. By enabling this header, services within Consul can accurately process and log requests, apply security rules, and fulfil compliance obligations. Configuring this feature is straightforward using HTTPRoute in conjunction with a Kubernetes API Gateway, ensuring seamless integration of real IP forwarding in your service mesh environment.