ingress-nginx-helm/docs/user-guide/miscellaneous.md

# Miscellaneous

## Source IP address

By default NGINX uses the content of the header `X-Forwarded-For` as the source of truth to get information about the client IP address. This works without issues in L7 **if we configure the setting `proxy-real-ip-cidr`** with the correct information of the IP/network address of trusted external load balancer.

If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR.

Another option is to enable proxy protocol using `use-proxy-protocol: "true"`.

In this mode NGINX does not use the content of the header to get the source IP address of the connection.

## Path types

Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation.
By default NGINX path type is Prefix to not break existing definitions

## Proxy Protocol

If you are using a L4 proxy to forward the traffic to the Ingress NGINX pods and terminate HTTP/HTTPS there, you will lose the remote endpoint's IP address. To prevent this you could use the [PROXY Protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for forwarding traffic, this will send the connection details before forwarding the actual TCP connection itself.

Amongst others [ELBs in AWS](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html) and [HAProxy](http://www.haproxy.org/) support Proxy Protocol.

## Websockets

Support for websockets is provided by NGINX out of the box. No special configuration required.

The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`.

The default value of these settings is `60 seconds`.

A more adequate value to support websockets is a value higher than one hour (`3600`).

!!! Important
    If the Ingress-Nginx Controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP.

## Optimizing TLS Time To First Byte (TTTFB)

NGINX provides the configuration option [ssl_buffer_size](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size.

This improves the [TLS Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB).
The default value in the Ingress controller is `4k` (NGINX default is `16k`).

## Retries in non-idempotent methods

Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error.
The previous behavior can be restored using `retry-non-idempotent=true` in the configuration ConfigMap.

## Limitations

- Ingress rules for TLS require the definition of the field `host`

## Why endpoints and not services

The Ingress-Nginx Controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT.
Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00			`# Miscellaneous`

			`## Source IP address`

			By default NGINX uses the content of the header `X-Forwarded-For` as the source of truth to get information about the client IP address. This works without issues in L7 if we configure the setting `proxy-real-ip-cidr` with the correct information of the IP/network address of trusted external load balancer.

			`If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR.`

			Another option is to enable proxy protocol using `use-proxy-protocol: "true"`.

			`In this mode NGINX does not use the content of the header to get the source IP address of the connection.`

fix for 6219 2020-10-15 06:48:25 +00:00			`## Path types`

			`Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation.`
			`By default NGINX path type is Prefix to not break existing definitions`

Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00			`## Proxy Protocol`

added real-client-ip faq (#11663) 2024-07-21 16:39:46 +00:00			`If you are using a L4 proxy to forward the traffic to the Ingress NGINX pods and terminate HTTP/HTTPS there, you will lose the remote endpoint's IP address. To prevent this you could use the [PROXY Protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for forwarding traffic, this will send the connection details before forwarding the actual TCP connection itself.`
Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00
			`Amongst others [ELBs in AWS](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html) and [HAProxy](http://www.haproxy.org/) support Proxy Protocol.`

			`## Websockets`

			`Support for websockets is provided by NGINX out of the box. No special configuration required.`

			The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`.

Optimize the document for readability (#9551) Signed-off-by: Fish-pro <zechun.chen@daocloud.io> 2023-02-16 14:07:39 +00:00			The default value of these settings is `60 seconds`.
Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00
			A more adequate value to support websockets is a value higher than one hour (`3600`).

Improve documentation format 2018-04-29 06:17:29 +00:00			`!!! Important`
Keep project name display aligned (#9920) 2023-05-05 16:31:13 +00:00			If the Ingress-Nginx Controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP.
Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00
			`## Optimizing TLS Time To First Byte (TTTFB)`

Darwin arm64 (#8399) * Use sed instead of gnu find flags Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Support building linux/amd64 on darin/arm64 Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Upgrade awesome_bot to dkhamsing/awesome_bot:1.20.0 Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Favor find -prune for vendor Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Skip golang modcache folder Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Favor find -prune for changelog Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Ignore Changelogs of any case Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Fix service-l7 link Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Fix route53-mapper link Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Update rootfs contents description The auxiliary scripts were removed after: https://github.com/kubernetes/ingress-nginx/tree/ab8349008a1db07205c4e6a9a80b16caafd272d4/rootfs/ingress-controller Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Update paths for modsecurity Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Update paths for modsecurity_snippet Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Update toc for 20190815-zone-aware-routing.md Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Use Internet Archive for datapath.io blog entry Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Use Internet Archive for cloudflare.com help center entry Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * Use https for nginx.org Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> 2022-04-06 20:46:26 +00:00			`NGINX provides the configuration option [ssl_buffer_size](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size) to allow the optimization of the TLS record size.`
Move miscellaneous tidbits from README to miscellaneous.md and other files 2018-04-24 10:11:47 +00:00
			`This improves the [TLS Time To First Byte](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) (TTTFB).`
			The default value in the Ingress controller is `4k` (NGINX default is `16k`).

			`## Retries in non-idempotent methods`

			`Since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) in case of an error.`
			The previous behavior can be restored using `retry-non-idempotent=true` in the configuration ConfigMap.

			`## Limitations`

			- Ingress rules for TLS require the definition of the field `host`

			`## Why endpoints and not services`

Keep project name display aligned (#9920) 2023-05-05 16:31:13 +00:00			`The Ingress-Nginx Controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT.`