nginx 1.27.1 use-proxy-protocol need proxy-real-ip-cidr

[albundy83]

Environmental Info:
RKE2 Version:

ubuntu@control-plane-0:~$ rke2 -v
rke2 version v1.34.2+rke2r1 (5e3fff8)
go version go1.24.9 X:boringcrypto

Node(s) CPU architecture, OS, and Version:

ubuntu@control-plane-0:~$ uname -a
Linux cem-control-plane-0 6.8.0-88-generic #89-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct 11 01:02:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:

3 control-planes
3 workers

Describe the bug:

When you enable proxy protocol at ingress-nginx level (use-proxy-protocol: "true") and if you use an external load balancer (from your could provider), you now need to set proxy-real-ip-cidr to your internal vlan range.

Here an exemple:

proxy-real-ip-cidr: 10.83.0.0/16

Steps To Reproduce:

• Installed RKE2: 1.34.2+rke2r1 (it works with previous 1.34.1+rke2r1)
• Enable proxy-protocol (use-proxy-protocol: true) but do not set proxy-real-ip-cidr
• See that you received the load balancer IP address instead of the real external IP addresses.

Expected behavior:

It used to work without proxy-real-ip-cidr parameter, so maybe it's not a bug, it's just a new conf....

Additional context / logs:

Here the diff of the nginx.conf configuration between nginx-v1.12.6-hardened1 and nginx-v1.13.4-hardened2.

Lines that start with < are from nginx-v1.12.6-hardened1

Lines that start with > are from nginx-v1.13.4-hardened2

gbellongervais@localhost:~/cloud/ovh-rke2.cem/ansible> diff nginx-v1.12.6-hardened1.conf nginx-v1.13.4-hardened2.conf
2c2
< # Configuration checksum: 3368141257399223729
---
> # Configuration checksum: 17354325090996571440
47c47
<       real_ip_header      proxy_protocol;
---
>       real_ip_header      X-Forwarded-For-Proxy-Protocol;
158a159,188
>       # When the proxy protocol is enabled, we cannot rely solely on the proxy protocol address
>       # due to potential proxy chain issues. Multiple proxies may modify the client IP before
>       # it reaches the ingress controller. We use the proxy-real-ip-cidr list to trust specific proxy
>       # addresses and determine the correct client IP from the forwarded headers.
>       #
>       # --------     --------------             ---------------------                       -----------------
>       # | User | --> | HTTP Proxy | -- http --> | TCP Load Balancer | -- proxy protocol --> | Ingress Nginx |
>       # --------     --------------             ---------------------                       -----------------
>       #
>       # The algorithm for determining the header to be used with the real_ip_header:
>       # 1. Check if the $proxy_protocol_addr is trusted (i.e., whether it's in the proxy-real-ip-cidr list).
>       # 2. If trusted, use the configured forwarded-for header (X-Forwarded-For by default).
>       # 3. If not trusted, fall back to using the $proxy_protocol_addr.
>       #
>       geo $proxy_protocol_addr $proxy_protocol_addr_trusted {
>               default           0;
>
>               0.0.0.0/0 1;
>
>       }
>
>       map $proxy_protocol_addr_trusted $forwarded_for_proxy_protocol {
>               default   $proxy_protocol_addr;
>               1         $http_x_forwarded_for;
>       }
>
>       # The realip module does not support variables for the real_ip_header directive
>       # so we need to define a custom header.
>       more_set_input_headers "X-Forwarded-For-Proxy-Protocol: $forwarded_for_proxy_protocol";
>
189c219
<       # PEM sha: f1659c8355214ced0fe6dccdb4d509ce8d300c25
---
>       # PEM sha: aff52bedb0430cb765f4ff490c6e70029eb030f7
304c334,336
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
466c498,500
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
604c638,640
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
741c777,779
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;

[albundy83]

The same diff but when you add the proxy-real-ip-cidr parameter.

Lines that start with < are from nginx-v1.12.6-hardened1

Lines that start with > are from nginx-v1.13.4-hardened2 with proxy-real-ip-cidr set to 10.83.0.0/16

gbellongervais@localhost:~/cloud/ovh-rke2.cem/ansible> diff nginx-v1.12.6-hardened1.conf nginx-v1.13.4-hardened2-cidr.conf
2c2
< # Configuration checksum: 3368141257399223729
---
> # Configuration checksum: 11536456227281809468
47c47
<       real_ip_header      proxy_protocol;
---
>       real_ip_header      X-Forwarded-For-Proxy-Protocol;
51c51,53
<       set_real_ip_from    0.0.0.0/0;
---
>       set_real_ip_from    10.83.0.0/16;
158a161,192
>       # When the proxy protocol is enabled, we cannot rely solely on the proxy protocol address
>       # due to potential proxy chain issues. Multiple proxies may modify the client IP before
>       # it reaches the ingress controller. We use the proxy-real-ip-cidr list to trust specific proxy
>       # addresses and determine the correct client IP from the forwarded headers.
>       #
>       # --------     --------------             ---------------------                       -----------------
>       # | User | --> | HTTP Proxy | -- http --> | TCP Load Balancer | -- proxy protocol --> | Ingress Nginx |
>       # --------     --------------             ---------------------                       -----------------
>       #
>       # The algorithm for determining the header to be used with the real_ip_header:
>       # 1. Check if the $proxy_protocol_addr is trusted (i.e., whether it's in the proxy-real-ip-cidr list).
>       # 2. If trusted, use the configured forwarded-for header (X-Forwarded-For by default).
>       # 3. If not trusted, fall back to using the $proxy_protocol_addr.
>       #
>       geo $proxy_protocol_addr $proxy_protocol_addr_trusted {
>               default           0;
>
>               10.83.0.0/16 1;
>
>       }
>
>       map $proxy_protocol_addr_trusted $forwarded_for_proxy_protocol {
>               default   $proxy_protocol_addr;
>               1         $http_x_forwarded_for;
>       }
>
>       # The realip module does not support variables for the real_ip_header directive
>       # so we need to define a custom header.
>       more_set_input_headers "X-Forwarded-For-Proxy-Protocol: $forwarded_for_proxy_protocol";
>
189c223
<       # PEM sha: f1659c8355214ced0fe6dccdb4d509ce8d300c25
---
>       # PEM sha: 7bd1cb4b1e9dfa02453b4d8007beef9f1a66c009
304c338,340
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
466c502,504
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
604c642,644
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;
741c781,783
<                       proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
---
>                       proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
>                       # Pass the original X-Forwarded-Host
>                       proxy_set_header X-Original-Forwarded-Host $http_x_forwarded_host;

[brandond]

This sounds like an upstream change in ingress-nginx, I'm not sure that there is anything we can or need to do about it in this project? If it wasn't already basically dead, I'd suggest taking this to the upstream project.

What if anything do you propose we do about it here? Sometimes upstream projects change things. We don't generally have any guarantee that we will isolate you from those changes.

[albundy83]

As you say, the nginx project is dead.
It was more to capture my steps and how I fix this issue with this updated nginx version.
That's why also I create a dedicated "issue".
If you don't have anything to add, we could close it :)

Thanks a lot

[brandond]

I'll convert this to a discussion then.