Add support for haproxy proxy protocol

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide

Apache License 2.0

8.56k stars 756 forks source link

Add support for haproxy proxy protocol #369

Open normanr opened 3 years ago

normanr commented 3 years ago

Currently all ssh connections are from from localhost, and the original client address is not available to sshd.

The HAProxy proxy protocol allows the client address to be preserved for non-http connections like ssh.

tunnel origin request configuration should have an option to send a proxy header at the start of the connection. This would allow client address to be restored via mmproxy.

Note this is already supported by spectrum (https://developers.cloudflare.com/spectrum/proxy-protocol).

sdickhoven commented 2 years ago

proxy protocol would also be needed for pointing cloudflared at an ingress controller that expects a proxy protocol header.

we have the following setup in aws:

nlb(proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=false) -> ingress-nginx(use-proxy-protocol: "true")

we would like to have this setup:

                                             cloudflare(argo_tunnel) -> cloudflared
                                                                             |
                                                                             v
nlb(proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=false) -> ingress-nginx(use-proxy-protocol: "true")

however, that would imply that cloudflared must "speak" proxy protocol.

an alternative would be to deploy another ingress controller that doesn't require a proxy protocol header. but we'd like to avoid that if possible.

altitudems commented 2 years ago

This would be an amazing addition, very clearly needed for certain scenarios!

elderapo commented 1 year ago

This is not only an issue with haproxy. Currently k8s nginx-ingresses behind cloudflared are unable to display real user IP.

Creating nginx-ingress like:

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --set controller.config.use-proxy-protocol=true \
  --namespace ingress-nginx --create-namespace

and pointing cloudflared instances to it simply doesn't work.

mister2d commented 1 year ago

Adding proxy protocol would enable filtering of source IPs. Please consider bumping this to the top of the priority list.

hoozecn commented 2 weeks ago

any updates? its a key feature that we would like to use cloudflared