HTTP Ingress
HTTP Ingress Overview
CloudFlow HTTP Ingress is implemented by an enhanced Kubernetes Ingress Controller that is built upon the open source Nginx Ingress. CloudFlow's enhancements give application developers special capabilities such as IP blocking, handling of SSL certificates, maintenance pages, and HTTP request metadata enhancement with geo IP properties of the end user.
CloudFlow HTTP Ingress has has the following responsibilities:
- Performing the TLS handshake for HTTPS connections
- Request enrichment
- Routing HTTP requests to your applications and services
- Implementing the HTTP/2 protocol
- Request correlation
This ingress controller supports TCP port 80 for HTTP and 443 for HTTPS.
The ingress will route traffic to your applications and services based on the host header over HTTP/1.1 regardless of the incoming protocol.
Activating HTTP Ingress
HTTP Ingress is enabled by declaring in your environment a single Kubernetes service that you name ingress-upstream
. Specify the type of Service as ClusterIP. Note that Service resources of type NodePort and LoadBalancer services are not accepted. Note that the standard Kubernetes Ingress resource is not leveraged nor recognized by the Platform.
Check our guide on this topic.
How It Works
Use of CloudFlow HTTP Ingress causes a deployment of small, special ingress pods that will be charged to your account. There are 2 pods in the deployment with horizontal pod autoscaling turned on. This deployment is charged to your account like any other application containers. You will not be able to see the containers using kubectl.
TLS metadata
CloudFlow HTTP Ingress performs the TLS handshake with the client on behalf of your application. Some details of this TLS handshake are then relayed to your application by adding HTTP headers to the request.
An x-forwarded-proto
header with a value of either http
or https
is added to indicate if the client used HTTP (i.e. no TLS) or HTTPS to connect. For HTTPS requests, the following headers will also be present.
section-io-tls-protocol
- the TLS protocol version negotiated with the client. Examples includeTLSv1.2
andTLSv1.3
.section-io-tls-cipher
- the TLS cipher suite negotiated with the client, in OpenSSL naming convention. Examples includeECDHE-RSA-AES128-GCM-SHA256
andTLS_AES_256_GCM_SHA384
. For translations to other cipher suite naming conventions see ciphersuite.info or testssl.sh.
IP geolocation
For each incoming request, the ingress controller will attempt to resolve the client's connecting IP address to a geographic location. The results of the lookup are then exposed as HTTP request headers. These headers are:
section-io-geo-country-code
- the ISO 3166-1 alpha-2 country code e.g.US
for the United States.section-io-geo-country-name
- the country name e.g.United States
.section-io-geo-asn
- ASN number.section-io-geo-region-code
- examples includeCA
andVA
for US IPs orNSW
for Australian IPs.section-io-geo-region-name
- examples includeCalifornia
andVirginia
for US IPs orNew South Wales
for Australian IPs.section-io-geo-city
- examples includeNew York
,Mountain View
,Sydney
, andDrummoyne
.section-io-geo-latlon
- the approximate latitude and longitude in the format-33.8696,151.2099
.section-io-geo-postal-code
- examples include2047
for Drummoyne, NSW, Australia and80302
for Boulder, CO, USA.section-io-geo-dma-code
- The Nielsen Designated Market Area ID as used by DoubleClick. Only for US IPs.
The ingress controller leverages the open source MaxMind GeoIP2 library for geolocation data.
Client IP Detection
CloudFlow adds the True-Client-IP
HTTP header which is equivalent to the remote_addr
value. This request header can be used in a number of ways:
- Fraud detection
- Logging client usage
- Rate limiting
CloudFlow also sets the X-Forwarded-For
header if you need to use that, however this header will often be a list of IP addresses depending on how the request has been proxied prior to arriving at CloudFlow and is not always reliable.
Request correlation
When the ingress controller handles each incoming request, a unique identifier is generated and is added to the request via a section-io-id
HTTP request header. You can use this value to trace the request through your application stack.
The format of the section-io-id
identifier is subject to change without notice so it should be treated as an opaque string and no meaning should be inferred from its value.