I am using a Kong Ingress Controller to route the traffic to my cloud services. One of these services (Keycloak) uses the value of X-Forwarded-For for some of its functionalities. Currently, if an external client tries to call Keycloak with a value set for this header, Keycloak uses it internally. I would like to avoid this, and only pass the value of the header if it was set by a trusted IP (like a MTLs proxy). Incidentally, the value of X-Real-IP is always the real client's IP.
I have followed the Kong documentation to preserve the client IP, adding the following environment variables to my Kong container:
- name: KONG_REAL_IP_HEADER
value: "X-Forwarded-For"
- name: KONG_TRUSTED_IPS
value: "0.0.0.0/0,::/0" # should hold MTLs proxy IP values only
- name: KONG_REAL_IP_RECURSIVE
value: "on"
and externalTrafficPolicy: Local to my Kong LoadBalancer service.
My understanding was that the X-Forwarded-For header would then hold the real IP and would accept a client's value only if it was trusted. However, what this does is changing the value of the header X-Real-IP with the value provided by X-Forwarded-For if the request came from a trusted IP, and only if the value was an IP. But the X-Forwarded-For header is still forwarded downstream with the original value, regardless of the client.
I would like to have a similar behavior for X-Forwarded-For as the one I currently have with X-Real-IP. Am I missing something here? Do I have to write some custom lua code for this?
