Preserving Client IP Addresses for Custom Domains


X-Forwarded-For header

Note that the preserved client IP will be accessible in the X-Forwarded-For header if you implement the configuration in this guide.



Changing this configuration may result in a few minutes of downtime. It is recommended to set up client IP addresses before the application is live, or update it during a maintenance window. For more information, see this Github issue.

You will need to update your NGINX config to support proxying external IP addresses to Porter.

In the ingress-nginx application, you'll be modifying the following Helm values:

    use-proxy-protocol: 'true' # <-- CHANGE
    annotations: '10254' 'true'
    enabled: true
  podAnnotations: '10254' 'true'
    annotations: '*'  # <-- CHANGE nlb-ip

AWS nginx configAWS nginx config




You must have a health check endpoint for your application. This endpoint must return a 200 OK status when it is pinged.

On Porter clusters provisioned through GCP, traffic flows through a regional TCP load balancer by default. These load balancers do not support a proxy protocol (only global TCP load balancers or regional/global HTTP(S) load balancers support this), and thus the client IP cannot be accessed by using the default load balancer. As a result, to get client IP addresses to your applications, you must create a new load balancer with a custom IP address. This guide will show you how to do that.

  1. You must first create a static global IP address in the GCP console. You can do this by navigating to External IP addresses (VPC Network > External IP Addresses), and clicking "Reserve External Address". Name this address something like porter-ip-address and select "Global" for the type:

Global LB configGlobal LB config

Copy the created IP address to the clipboard.

  1. In your DNS provider, configure a custom domain to point to that IP address, which you can do by creating an A record with your domain as the value. Check that the domain is pointing to the IP address through nslookup <domain>, where the address in the response should be the IP address you just created.

  2. Install an HTTPS issuer on the Porter dashboard by going to Launch > Community Addons > HTTPS Issuer. Toggle the checkbox Create GCE Ingress. If you have already installed the HTTPS issuer, you will have to delete your current issuer and create a new one.

HTTPS ingress with GCEHTTPS ingress with GCE

  1. Create the web service by going to the Porter dashboard and navigating to Launch > Web service. Link up your source, and then configure the following three settings:
  • Toggle "Configure Custom Domain" at the bottom of the "Main" tab, and add your custom domain.

  • Go to the "Advanced" tab. In the "Ingress Custom Annotations" section, add the following three parameters: letsencrypt-prod-gce gce porter-ip-address # IMPORTANT: replace this with the name of your static ip address!

It should look something like this:

Deployment configDeployment config

  • Still in the "Advanced" tab, you must set up a custom health check at an application endpoint. This is by default set to /healthz, but you can choose whichever path you'd like. This endpoint must return a 200 OK status when it is pinged.

Healthz configHealthz config

  1. Click "Deploy". It will take 10-15 minutes for the load balancer to be created and the certificates to be issued.