Skip to content

feat: add configurable real_ip_header option for nginx #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vichaos wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: add configurable real_ip_header option for nginx #904

vichaos wants to merge 4 commits into from

Conversation

@vichaos
Copy link

@vichaos vichaos commented Nov 14, 2025

Add configurable real_ip_header option for nginx configuration

Summary

This PR makes the nginx real_ip_header directive configurable via values.yaml, allowing users to customize which header is used to extract the real client IP address.

Changes

  • Added apisix.nginx.realIpHeader configuration option in values.yaml with a default value of "X-Real-IP"
  • Updated configmap.yaml template to use the configurable value instead of hardcoded "X-Real-IP"
  • Maintains backward compatibility with existing deployments (default remains "X-Real-IP")

Why This Change is Necessary

Different deployment environments and proxy setups use different headers to pass the original client IP address:

  1. Load Balancer Variations: Different cloud providers and load balancers use different headers:

    • AWS ALB/ELB often uses X-Forwarded-For
    • Cloudflare uses CF-Connecting-IP
    • Google Cloud Load Balancer may use X-Forwarded-For
    • Some proxies use X-Real-IP (current default)

  2. Multi-Layer Proxy Environments: In complex deployments with multiple proxy layers (e.g., CDN → Load Balancer → Ingress → APISIX), the appropriate header may differ based on architecture.

  3. Security and Rate Limiting: Correctly identifying client IPs is crucial for:

    • Accurate rate limiting based on client IP
    • Security plugins that rely on IP-based access control
    • Logging and analytics
    • Compliance requirements

  4. Flexibility: Without this configuration option, users would need to either:

    • Fork the chart and modify it
    • Use post-deployment patches
    • Accept incorrect IP detection in their environment

This change provides the flexibility needed for various deployment scenarios while maintaining sensible defaults.

Usage Example

apisix:
  nginx:
    realIpHeader: "X-Forwarded-For"  # For AWS ALB/ELB environments

Or via Helm CLI:

helm install apisix . --set apisix.nginx.realIpHeader="CF-Connecting-IP"

@vichaos
feat: add configurable real_ip_header option for nginx
db62b55 
- Add apisix.nginx.realIpHeader configuration in values.yaml
- Update configmap.yaml template to use configurable value
- Default to X-Real-IP for backward compatibility

This allows users to customize which header nginx uses to extract
the real client IP address, supporting various load balancer and
proxy configurations (e.g., X-Forwarded-For, CF-Connecting-IP).
@ngclinflows
Copy link

ngclinflows commented Nov 26, 2025

Hi @vichaos,

I think you missed to add a chart value for the complementary apisix.nginx_config.http.real_ip_from APISIX config parameter: it allows to trust a set of IPs and/or CIDRs and then effectively replace properly client address in $remote_addr with the one provided in the X-Real-IP/X-Forwarded-For/Forwarded header

ngclinflows
ngclinflows reviewed Nov 26, 2025
View reviewed changes
Copy link

@ngclinflows ngclinflows left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't forget to run the make helm-docs command to update the documentation.

@vichaos
Copy link
Author

vichaos commented Dec 1, 2025

@ngclinflows Thanks for raising this. I’ve added support for the complementary apisix.nginx_config.http.real_ip_from parameter in the chart values so APISIX can properly trust the defined IPs/CIDRs for client address handling.
Feel free to review the update and let me know if I should refine anything further.

@ngclinflows
Copy link

ngclinflows commented Dec 2, 2025

Seems good to me 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ngclinflows ngclinflows ngclinflows left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vichaos @ngclinflows