Add optional support for the PROXY protocol #126
Conversation
|
Hey Jonty! Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you've already signed the CLA. |
|
We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/116690921. |
|
This should close #125 |
Jonty
force-pushed
the
add_proxy_protocol_support
branch
4 times, most recently
from
160bec3 to
62b127b
Compare
|
The build is failing due to Travis being slow and tests timing out, they pass when run locally. |
Jonty
force-pushed
the
add_proxy_protocol_support
branch
from
62b127b to
cfed0a2
Compare
This adds support for the commonly implemented PROXY protocol, allowing TCP proxies to pass along upstream client information. When this is enabled gorouter will read the PROXY preamble and inject the upstream information into the `X-Forwarded-For` header. http://blog.haproxy.com/haproxy/proxy-protocol/ It should be noted that when using PROXY on the HTTPS port the `X-Forwarded-Proto` header will not be set to "https" as expected because the X-Forwarded-Proto code checks for source.TLS, which is only set by the go http library if the `conn` is a `tls.conn`: https://golang.org/src/net/http/server.go#L1398 This can only be fixed properly by patching the standard library. We plan to submit a separate gorouter patch to allow operators to override the autodetected X-Forwarded-Proto if they are terminating SSL at the load balancer before gorouter and using PROXY to communicate with gorouter.
Jonty
force-pushed
the
add_proxy_protocol_support
branch
from
cfed0a2 to
2c1f04d
Compare
What is the behavior when using PROXY on the HTTP port? Your use case is an insecure private network. Since your SSL terminator is sending requests to port 80, would Gorouter detect the value of X-Forwarded-Proto using this PROXY protocol? If so, it seems like your "Force Proto" solution isn't necessary. |
|
@shalako When the inbound connection is on port 80 the The PROXY protocol does not communicate the incoming protocol used, and the upstream proxy itself is not HTTP-aware so will not insert the The PROXY protocol does communicate the incoming port number, so it would be possible to automatically set |
|
Yesterday upstream golang gained support for accessing the local address from a http handler, which would make my previous suggestion substantially easier to implement. Obviously this won't be possible until there's a new golang release though. |
|
As commented here what is the decision for this PR? Shall we go for the approach of an updated golang release which would allow implement logic to check if the upstream port the same as |
|
Please confirm my understanding of the alternative you're suggesting
|
Yes, in order to get the original connection information from the first proxy (e.g. ELB in TCP mode)
Yes, it is required to be able to check the port as described in @Jonty comment. But as @Jonty pointed, it has been added and reviewed here, and you can see the github commit here. But it seems that the code has not been released yet.
Yes, they send the port as part of the proxy protocol
exactly |
|
@keymon @Jonty In terms of the In the commit you mention, the context key is set to the Other than that, the PR looks fine code-wise. |
|
@crhino |
|
@Jonty : Thank you for submitting PR. We were wondering if you could provide an integration test to verify the continued support for Proxy Protocol. Regards |
|
@flawedmatrix @shashwathi Is the test we implemented not sufficient? |
|
@Jonty : We were thinking more along the lines of an end-to-end test. After looking at the PR again, the given tests should do the job. Regards |
|
@Jonty : We noticed an issue when we were testing this PR, gorouter does not seem accept multiple connections anymore. Steps to reproduce this issue:
When you disable proxy protocol and repeat the above steps, you will see that the gorouter accepts multiple connections on its port. We have a failing test case on a branch in gorouter to demonstrate the same. We think the problem might be in the proxyproto library, where listener which is a wrapper around http listener only accepts one connection at a time. To solve this immediately, we will add a Let us know if you have any questions. Regards |
|
Hi @shashwathi, I'm one of @Jonty's colleagues. This is definitely not intended behaviour & we'll take a look in the next few days. |
|
@bleach There is an open PR that fixes this, however no work has been done to get it upstream: armon/go-proxyproto#2 I would suggest that someone should take that and work with @armon to get it into master, rather than forking it. |
|
I think that this issue happens only if:
If you have a proxy sending But it must be fixed, indeed. |
|
As an update:
|
|
I opened a new issue #141 to track this. We propose a solution there. |
This adds support for the commonly implemented PROXY protocol, allowing TCP proxies to pass along upstream client information. When this is enabled gorouter will read the PROXY preamble and inject the upstream information into the X-Forwarded-For header.
http://blog.haproxy.com/haproxy/proxy-protocol/
It should be noted that when using PROXY on the HTTPS port the
X-Forwarded-Protoheader will not be set to "https" as expected because the X-Forwarded-Proto code checks forsource.TLS, which is only set by the go http library if theconnis atls.conn:https://golang.org/src/net/http/server.go#L1398
This can only be fixed properly by patching the standard library. We plan to submit a separate gorouter patch to allow operators to override the autodetected X-Forwarded-Proto if they are terminating SSL at the load balancer before gorouter and using PROXY to communicate with gorouter.