kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

In TCP service sometime we get client_ip as an internal ip how can we get an external ip in tcp log

Open Raj-prateek opened this issue 1 year ago • 5 comments

I have seen sometime we get external IP and sometime we are getting internal IP. Is that expected?

Raj-prateek avatar Jan 02 '24 09:01 Raj-prateek

Hi @Raj-prateek , please provide more context, details and configuration so that we can try to figure out what happened.

ivanmatmati avatar Jan 08 '24 10:01 ivanmatmati

Values.yaml

controller:
  image:
    tag: nightly
  allowPrivilegeEscalation: true
  logging:
    level: debug
  extraArgs:
    - --configmap=ingress-haproxy/ingress-haproxy-kubernetes-ingress
    - --configmap-tcp-services=ingress-haproxy/smtp-config
    - --default-ssl-certificate=ingress-haproxy/xyz-com-tls-secret
    - --watch-namespace my-namespace
    - --disable-ipv6
  autoscaling:
    enabled: true
    minReplicas: 5
    maxReplicas: 10
    targetCPUUtilizationPercentage: 80
  service:
    type: LoadBalancer
    loadBalancerIP: 127.0.0.1
    tcpPorts:
      - name: smtp-587
        port: 587
        targetPort: 587
      - name: smtp-465
        port: 465
        targetPort: 465
      - name: smtp-2525
        port: 2525
        targetPort: 2525

Global Configmap:

kind: ConfigMap
metadata:
  name: ingress-haproxy-kubernetes-ingress
  namespace: ingress-haproxy
data:
   syslog-server: 'address:stdout, format: raw, facility:daemon'

TCP ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: smtp-config
  namespace: ingress-haproxy
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
data:
  587:                    # Port where the frontend is going to listen to.
    my-namespace/my-service:587    # Kubernetes service in the format NS/ServiceName:ServicePort
  465:
    my-namespace/my-service:465:ssl # ssl option will enable ssl offloading for target service.
  2525:
    my-namespace/my-service:2525
  log-format-tcp: '{"client_ip":"%ci","client_port":"%cp","frontend_port":"%fp","date_time":"%t","backend_name":"%b","server_name":"%s","Tt":"%Tt","Tc":"%Tc","Tw":"%Tw","bytes_read":"%B"}'

Raj-prateek avatar Jan 09 '24 14:01 Raj-prateek

Problem:

In the logs of Haproxy, a high-performance load balancer, we are observing an irregularity with the client_ip addresses. It seems that for the same connection, the client_ip is alternating between displaying an external IP address and an internal IP address. This inconsistency is occurring intermittently and it is unclear what is triggering this change. It is crucial to understand this as it could potentially impact the way we interpret our network traffic and manage our server load balancing.

Raj-prateek avatar Jan 09 '24 14:01 Raj-prateek

@Raj-prateek can you check in configuration what is the log format (in all sections if you have it)?

edit: of course, when you notice the error

oktalz avatar Feb 01 '24 10:02 oktalz

Hi @oktalz

Other than tcp which is defined above, we have log format:

  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'

Raj-prateek avatar Feb 16 '24 08:02 Raj-prateek

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 17 '24 10:03 stale[bot]