Enable PROXY protocol for specific IPs in HAProxy #711
+215
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
peanball
reviewed
Sep 9, 2024
peanball
reviewed
Sep 10, 2024
peanball
reviewed
Sep 10, 2024
peanball
reviewed
Sep 10, 2024
Mrizwanshaik
force-pushed
the
CFN-4684
branch
from
12a92c0
to
0620360
Compare
peanball
reviewed
Sep 11, 2024
peanball
reviewed
Sep 11, 2024
| }, time.Minute, time.Second).Should(Equal("running")) | ||
|
|
||
| By("Sending a request with Proxy Protocol Header to HAProxy traffic port") | ||
| err := performProxyProtocolRequest(haproxyInfo.PublicIP, 80, "/") |
There was a problem hiding this comment.
in addition, we could have a test here that a regular (i.e. non-proxy-protocol) request fails, because HAProxy was in fact expecting proxy protocol.
peanball
reviewed
Sep 11, 2024
peanball
reviewed
Sep 11, 2024
peanball
reviewed
Sep 11, 2024
peanball
reviewed
Sep 11, 2024
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Mrizwanshaik
force-pushed
the
CFN-4684
branch
from
bcf58bf
to
156e328
Compare
Co-Authored-by: Alexander Lais <alexander.lais@sap.com> Co-Authored-by: Daria Anton <daria.anton@sap.com>
Mrizwanshaik
force-pushed
the
CFN-4684
branch
from
156e328
to
fc656e1
Compare
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proxy protocol is required for IPv6 on AWS. We are facing the loss of source client IP in HA Proxy. AWS Load Balancer's property preserve_client_ip only works for disabled proxy protocol.
The global flag accept_proxy, which is false by default, is not suitable to solve the problem, since it would break the outgoing traffic.
This PR introduces a new property expect_proxy, which accepts a list of CIDR ranges for which to expect the PROXY protocol. This property should contain a list of private IPs/CIDRs of the load balancers, for which a transparent proxing will be turned off. The property is mutually exclusive with the accept_proxy and will lead to validation failure if both are set to true.