Issues with Google cloud platform load balancer client origin ip / geo location

1k views Asked by At

I've got an issue with my GCE Http(s) load balancer. Where it's not detecting the correct X-Client-Geo-Region etc.

Because we need to serve, currently 3000 (Increasing everyday) custom domains with ssls, I couldn't find another way to build this infrastructure without having custom ssl termination. And I wanted to use cloud armor to remove another thing to maintain, else I'd have installed ModSecurity on the nginx proxy.

EntrypointA not working only showing US region.
EntrypointB working as expected, detecting the correct Region (GB). Ofc this bypasses SSL.

                                            EntrypointB
                                                 |
                                                 V
EntrypointA -> SSL Termination Service -> GCE Loadbalancer -> GCE Instance (Http server)
                   (Nginx proxy)                     ^
                                                     |
                                                Cloud Armor

So far I've tried setting every header I could find in the proxy, but either the load balancer doesn't look at headers or it's one I'm not aware of.

Headers I've tried

proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP          $remote_addr;
proxy_set_header X-User-IP          $remote_addr;
proxy_set_header X-ProxyUser-Ip     $remote_addr;
proxy_set_header True-Client-IP     $remote_addr;

When I check the headers on the server they all look correct (Excluding the geo ones ofc). Forwarded-For is correct and X-Real-IP is.

1

There are 1 answers

0
Gustavo Blanco On

Per doc GCP HTTP(S) LB the TLS is ended in different locations that are over the world to minimize latency. So the best to product to have Geographic control is Network load balancers in order to terminate TLS on the backend instances.

Maybe that approach will not fit your needs so you may want to explore Cloudflare instead.