-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable PROXY protocol for specific IPs in HAProxy #711
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some WIP comments. I know this is not ready yet.
12a92c0
to
0620360
Compare
}, time.Minute, time.Second).Should(Equal("running")) | ||
|
||
By("Sending a request with Proxy Protocol Header to HAProxy traffic port") | ||
err := performProxyProtocolRequest(haproxyInfo.PublicIP, 80, "/") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in addition, we could have a test here that a regular (i.e. non-proxy-protocol) request fails, because HAProxy was in fact expecting proxy protocol.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peanball Thanks
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
bcf58bf
to
156e328
Compare
Co-Authored-by: Alexander Lais <alexander.lais@sap.com> Co-Authored-by: Daria Anton <daria.anton@sap.com>
156e328
to
fc656e1
Compare
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Co-authored-by: Rizwan <m.rizwan.shaik@sap.com>
Proxy protocol is required for IPv6 on AWS. We are facing the loss of source client IP in HA Proxy. AWS Load Balancer's property preserve_client_ip only works for disabled proxy protocol.
The global flag accept_proxy, which is false by default, is not suitable to solve the problem, since it would break the outgoing traffic.
This PR introduces a new property expect_proxy, which accepts a list of CIDR ranges for which to expect the PROXY protocol. This property should contain a list of private IPs/CIDRs of the load balancers, for which a transparent proxing will be turned off. The property is mutually exclusive with the accept_proxy and will lead to validation failure if both are set to true.