Proxy Protocol set incorrectly

[rikatz]

I don't know how much of this is a real problem, but here it is.

We've enabled 'use-proxy-protocol' in ConfigMap. This is useful as we use 'stream {' to pass SSL connections.

While this works with SSL, the template is inserting 'proxy_protocol' also in the HTTP binding (port 80 listening) as the following:

listen [::]:80 proxy_protocol ipv6only=off default_server reuseport backlog=32768;

This is set here: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L204

Should this really contain the {{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }} directive?

Or maybe, shouldn't we always include the proxy_protocol in the 'ssl' listen?

This is necessary, as while using the 'stream' we still can log the real source IP in requests.

[aledbf]

@rikatz if you enable 'use-proxy-protocol' is for all the listen sections. How are you using the ingress controller? (if you use the ingress controller in aws, usually is behind an ELB)

[rikatz]

We're using ingress controller as the 'main entrance' for our Kubernetes Environment. No ELB or nothing at all, the machines running Ingress controller have a public valid IP Address.

The thing is that, to allow the usage of SSL Passthrough, the 'stream' config in NGINX was made to solve this problem.

This introduces (at least to us) a new problem, that requests made through SSL are not correctly logged (as NGINX calls itselfs in port 442), and we can't trace the original Client IP requester.

This may impact in other stuffs, and I think it includes the #116 .

The solution we've found was to enable the proxy_protocol between the stream and the SSL backend, but this introduces 2 new problems:

Logging on common regular 80 port doesn't work correctly, and all backends must support PROXY protocol (which is not the case when you Passthrough directly to a wildfly server, as an example).

Also, it adds more latency.

So, for my specific problem here I'll change the nginx.tmpl file, fully removing the 'streams' section (as we're not going to use, by now, SSL Passthrough or even TCP/UDP backends).

But I think that a 'more ellegant' way to do this is to enable or disable (globally, in ConfigMap) the possibility to use or not SSL Passthrough, giving to the user the chance to choose between less latency and better logging (without enabling SSL Passthrough in the platform), or the opposite, but enabling this feature.