Show HN: Kuberentes – The client source IP preservation dilemma (opens in new tab)

(elsesiy.com)

18 pointsmus1cfl0w5y ago7 comments

7 comments

I'm assuming this is not an HTTP setup then? In the HTTP world, setting X-Forwarded-For is usually enough.

Relying on X-Forward-For for... pretty much anything is not a security best practice. The user can easily manipulate this header.

remram5y ago

AFAIK the common issue is software written or configured to read the header but deployed without a reverse proxy. If the load balancer is configured to set it, are there still security issues?

2 more replies

mus1cfl0wOP5y ago

Not only that but XFF only works with L7, the standard LB deployed via service type LB in Kubernetes is L4

j / k navigate · click thread line to collapse

7 comments

remram5y ago

I'm assuming this is not an HTTP setup then? In the HTTP world, setting X-Forwarded-For is usually enough.

whatsmyusername5y ago

Relying on X-Forward-For for... pretty much anything is not a security best practice. The user can easily manipulate this header.

remram5y ago

AFAIK the common issue is software written or configured to read the header but deployed without a reverse proxy. If the load balancer is configured to set it, are there still security issues?

2 more replies

mus1cfl0wOP5y ago

Not only that but XFF only works with L7, the standard LB deployed via service type LB in Kubernetes is L4

j / k navigate · click thread line to collapse