Help Center> Cloud Container Engine> FAQ> Networking> Others> How Do I Obtain the Actual Source IP Address of a Client After a Service Is Added into Istio?
View PDF

How Do I Obtain the Actual Source IP Address of a Client After a Service Is Added into Istio?

Symptom

After Istio is enabled for a service, the client source IP addresses obtained from access logs are all changed to 127.0.0.1. The actual source IP addresses cannot be obtained.

Solution

This section uses an Nginx application as an example to describe how to add a LoadBalancer (ELB) Service to the service mesh. The procedure for adding other types of Services is similar.

  1. Create a LoadBalancer Service (node-level).
  2. Add the Service to the Istio service mesh.
  3. Add the Istio service gateway and change the Service automatically generated in the istio-system namespace to the node level.
  4. Configure Nginx in the container:

    The configuration path is /etc/nginx/conf.d/default.conf. 
    set_real_ip_from 100.0.0.0/8;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

  5. Load the TOA plug-in to all nodes in the cluster so that the source IP addresses can be obtained from the containers.
  • After a request is sent from the client, the IP address is converted by the ELB load balancer and then converted again when the request reaches Istio. Therefore, you need to set set_real_ip_from twice to obtain the actual IP address.
  • If the frontend and backend services use HTTP, the verification goes properly. If the server end uses HTTPS, the verification is not performed.
Parent topic: Others