vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
c67db09e953b51e4bd45791e3d8e364b1f2a64b8
doc-exports/docs/cce/umn/cce_bestpractice_00035.html
Dong, Qiu Jian 3d9cca138b CCE UMN: Added the support of the OS for features and cluster versions. 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2023-06-20 14:52:27 +00:00

39 lines
8.5 KiB
HTML
Raw Blame History

<a name="cce_bestpractice_00035"></a><a name="cce_bestpractice_00035"></a>
<h1 class="topictitle1">Obtaining the Client Source IP Address for a Container</h1>
<div id="body8662426"><div class="section" id="cce_bestpractice_00035__en-us_topic_0112307025_section15473144153818"><h4 class="sectiontitle">Background</h4><p id="cce_bestpractice_00035__en-us_topic_0112307025_p16169173419396">There may be different types of proxy servers between a client and a container server. How can a container obtain the real source IP address of the client? This section describes several scenarios you may encounter.</p>
</div>
<div class="section" id="cce_bestpractice_00035__en-us_topic_0112307025_section14623143319552"><h4 class="sectiontitle">Principles</h4><p id="cce_bestpractice_00035__p1842819471458"><span><img class="eddx" id="cce_bestpractice_00035__image4962449184416" src="en-us_image_0000001176818150.png"></span></p>
<p id="cce_bestpractice_00035__p1773572516282"><strong id="cce_bestpractice_00035__b10990522751">Layer-7 forwarding:</strong></p>
<p id="cce_bestpractice_00035__p127218392817">Ingress: If this access mode is used, the client source IP address is saved in the <strong id="cce_bestpractice_00035__b220014255720">X-Forwarded-For</strong> HTTP header field by default. No other configuration is required.</p>
<ul id="cce_bestpractice_00035__ul14638131964712"><li id="cce_bestpractice_00035__li116385193479">ELB ingress: A self-developed ingress to implement layer-7 network access between the internet and intranet (in the same VPC) based on ELB. If the backend Service type is <strong id="cce_bestpractice_00035__b1623512557593">NodePort</strong>, set <strong id="cce_bestpractice_00035__b361918135812">Service Affinity</strong> to <strong id="cce_bestpractice_00035__b1936962185815">Node level</strong>.</li></ul>
<p id="cce_bestpractice_00035__p127358257286"><strong id="cce_bestpractice_00035__b665912598571">Layer-4 forwarding:</strong></p>
<ul id="cce_bestpractice_00035__ul378957151212"><li id="cce_bestpractice_00035__li18219175312486">LoadBalancer: Use ELB to achieve load balancing. You can manually enable the <strong id="cce_bestpractice_00035__b2036318173518">Obtain Client IP Address</strong> option for TCP and UDP listeners of shared load balancers. By default, the <strong id="cce_bestpractice_00035__b560632310437">Obtain Client IP Address</strong> option is enabled for TCP and UDP listeners of dedicated load balancers. You do not need to manually enable it.</li><li id="cce_bestpractice_00035__li137845712121">NodePort: In this access mode, the container port is mapped to the node port. If cluster-level affinity is configured, access requests will be forwarded through the node and the client source IP address cannot be obtained. If node-level affinity is configured, access requests are not forwarded and the client source IP address can be obtained.</li></ul>
</div>
<div class="section" id="cce_bestpractice_00035__section182607151519"><h4 class="sectiontitle">Ingress</h4><p id="cce_bestpractice_00035__p201511142171416">Configure the application server and obtain the IP address of a client from the HTTP header.</p>
<p id="cce_bestpractice_00035__p107351425162815">The real IP address is placed in the <strong id="cce_bestpractice_00035__b129812919298">X-Forwarded-For</strong> HTTP header field by the load balancer in the following format:</p>
<pre class="screen" id="cce_bestpractice_00035__screen154815112816">X-Forwarded-For: <em id="cce_bestpractice_00035__i0263819192912">IP address of the client</em>,<em id="cce_bestpractice_00035__i4263619162919">Proxy server 1-IP address</em>,<em id="cce_bestpractice_00035__i1526310197290">Proxy server 2-IP address</em>,...</pre>
<p id="cce_bestpractice_00035__p131511642121417">If you use this method, the first IP address obtained is the IP address of the client.</p>
<p id="cce_bestpractice_00035__p13412284711">For details, see <a href="https://docs.otc.t-systems.com/usermanual/elb/elb_faq_0090.html" target="_blank" rel="noopener noreferrer">How Can I Obtain the IP Address of a Client?</a></p>
<div class="note" id="cce_bestpractice_00035__note17787124418"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_bestpractice_00035__ul9269131812110"><li id="cce_bestpractice_00035__li102697185210">When adding an ingress, if the backend service is of the NodePort type, set <strong id="cce_bestpractice_00035__b177497173714">Service Affinity</strong> to <strong id="cce_bestpractice_00035__b1518711205415">Node level</strong>, that is, set <strong id="cce_bestpractice_00035__b17727191625417">spec.externalTrafficPolicy</strong> to <strong id="cce_bestpractice_00035__b277211191547">Local</strong>. For details, see <a href="#cce_bestpractice_00035__section6340152911914">NodePort</a>.</li></ul>
</div></div>
</div>
<div class="section" id="cce_bestpractice_00035__en-us_topic_0112307025_section968953616401"><h4 class="sectiontitle">LoadBalancer</h4><p id="cce_bestpractice_00035__p17777185411612">For a LoadBalancer Service, different types of clusters obtain source IP addresses in different scenarios. In some scenarios, source IP addresses cannot be obtained currently.</p>
<p id="cce_bestpractice_00035__p101483813463"><strong id="cce_bestpractice_00035__b94263121219">VPC and Container Tunnel Network Models</strong></p>
<p id="cce_bestpractice_00035__p420914396245">To obtain source IP addresses, perform the following steps:</p>
<ol id="cce_bestpractice_00035__ol1477712543620"><li id="cce_bestpractice_00035__li12777454962"><span>When creating a LoadBalancer Service on the CCE console, set <strong id="cce_bestpractice_00035__b1745114210315">Service Affinity</strong> to <strong id="cce_bestpractice_00035__b9844491834">Node level</strong> instead of <strong id="cce_bestpractice_00035__b1631105614320">Cluster level</strong>.</span><p><p id="cce_bestpractice_00035__p07779548616"></p>
</p></li><li id="cce_bestpractice_00035__li1777795419614"><span>Go to the ELB console and enable the function of obtaining the client IP address of the listener corresponding to the load balancer. <strong id="cce_bestpractice_00035__b670319210497">Transparent transmission of source IP addresses is enabled for dedicated load balancers by default. You do not need to manually enable this function.</strong></span><p><ol type="a" id="cce_bestpractice_00035__ol167779541767"><li id="cce_bestpractice_00035__li11777154764">Log in to the ELB console.</li><li id="cce_bestpractice_00035__li187771754967">Click <span><img id="cce_bestpractice_00035__image1677716541169" src="en-us_image_0000001221501677.png"></span> in the upper left corner to select the desired region and project.</li><li id="cce_bestpractice_00035__li17777145417611">Click <strong id="cce_bestpractice_00035__b11958203315514">Service List</strong>. Under <strong id="cce_bestpractice_00035__b1096313310516">Networking</strong>, click <strong id="cce_bestpractice_00035__b1396312337513">Elastic Load Balance</strong>.</li><li id="cce_bestpractice_00035__li877713542067">On the <strong id="cce_bestpractice_00035__b7806736153212">Load Balancers</strong> page, click the name of the load balancer.</li><li id="cce_bestpractice_00035__li17771254563">Click <strong id="cce_bestpractice_00035__b113891339173212">Listeners</strong>.<ul id="cce_bestpractice_00035__ul13241558155819"><li id="cce_bestpractice_00035__li1824195818588">To add a listener, click <strong id="cce_bestpractice_00035__b1683483713133">Add Listener</strong>.</li><li id="cce_bestpractice_00035__li1124116587582">To modify a listener, locate the listener and click the edit button on the right of its name.</li></ul>
</li><li id="cce_bestpractice_00035__li477720541864">Enable <strong id="cce_bestpractice_00035__b207848511656">Obtain Client IP Address</strong>.</li></ol>
</p></li></ol>
<p id="cce_bestpractice_00035__p59816519"></p>
</div>
<div class="section" id="cce_bestpractice_00035__section6340152911914"><a name="cce_bestpractice_00035__section6340152911914"></a><a name="section6340152911914"></a><h4 class="sectiontitle">NodePort</h4><p id="cce_bestpractice_00035__p12338629898">Set the service affinity of a NodePort Service to <strong id="cce_bestpractice_00035__b18193342472">Node level</strong> instead of <strong id="cce_bestpractice_00035__b13200442778">Cluster level</strong>. That is, set <strong id="cce_bestpractice_00035__b122003421077">spec.externalTrafficPolicy</strong> of the Service to <strong id="cce_bestpractice_00035__b1920020424712">Local</strong>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0052.html">Networking</a></div>
</div>
</div>
View Git Blame Copy Permalink