How to enable support for use-forwarded-headers in ingress-nginx

Article Number: 000020070

Environment

• A Kubernetes cluster provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x
• For RKE provisioned clusters, you will require the RKE binary and access to the cluster configuration YAML, rkestate file and kubectl access with the kubeconfig for the cluster sourced
• For Rancher v2.x provisioned clusters, you will require cluster owner or global admin permissions in Rancher

Situation

Per the [ingress-nginx documentation], the use-forwarded-headers configuration option enables passing "the incoming X-Forwarded-* headers to upstreams. Use this option when NGINX is behind another L7 proxy / load balancer that is setting these headers."

This article details how to enable the use-forwarded-headers option in the ingress-nginx instance of Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters.

Resolution

Configuration for RKE CLI provisioned clusters

1. Edit the cluster configuration YAML file to include the use-forwarded-headers: true option for the ingress, as follows:

ingress:
  provider: nginx
  options:
    use-forwarded-headers: true

2. Apply the changes to the cluster, by invoking rke up:

rke up --config <cluster configuration yaml file>

3. Verify the new configuration:

for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep use_forwarded_headers | grep true > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done

Configuration for Rancher v2.x provisioned clusters

1. Log in to the Rancher UI.
2. Go to Global -> Clusters -> Cluster Name.
3. From the Cluster Dashboard edit the cluster by Clicking on "⋮" then select Edit.
4. Click "Edit as YAML".
5. Include the use-forwarded-headers option for the ingress, as follows:

ingress:
  provider: nginx
  options:
    use-forwarded-headers: true

6. Click "Save" at the bottom of the page. 7. Wait for cluster to finish upgrading. 8. Go back to the Cluster Dashboard and click "Launch kubectl". 9. Run the following inside the kubectl CLI to verify the new argument:

for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep use_forwarded_headers | grep true > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done