This Pull Request introduces two changes to enhance the IPv6 support of haproxy-boshrelease:
1. Proxy Protocol Adjustment for Health Check Frontend
AWS Network Load Balancers (NLBs) utilize the same Proxy Protocol setting for both forwarded traffic and health checks, as outlined in the AWS documentation.
The existing accept_proxy configuration property only applies the accept-proxy setting (refer to the HAProxy documentation) to the http and https frontends, excluding the health check frontend. This exclusion leads to the HAProxies being perceived as unhealthy by the load balancer once the feature is activated.
It is not feasible to globally enable accept-proxy for the health check frontend because monit also utilizes this frontend for the Remote host Service check, and it does not support the Proxy Protocol. Therefore, we are employing the expect-proxy feature to avoid expecting the proxy protocol for requests originating from localhost (i.e., monit).
2. Stick-Table Size Adjustment for IPv6
Currently, requests from IPv6 source addresses (either via Proxy Protocol or when HAProxy operates in dualstack/v4v6 enabled-mode) cannot be rate-limited. This limitation is due to the stick tables used for rate limiting being of the ip type, which cannot store the longer IPv6 addresses. This PR modifies the type to ipv6, enabling the storage of both IPv4 and IPv6 addresses (see HAProxy documentation). The additional memory overhead is negligible.
This Pull Request introduces two changes to enhance the IPv6 support of
haproxy-boshrelease:1. Proxy Protocol Adjustment for Health Check Frontend
AWS Network Load Balancers (NLBs) utilize the same Proxy Protocol setting for both forwarded traffic and health checks, as outlined in the AWS documentation.
The existing
accept_proxyconfiguration property only applies theaccept-proxysetting (refer to the HAProxy documentation) to thehttpandhttpsfrontends, excluding the health check frontend. This exclusion leads to the HAProxies being perceived as unhealthy by the load balancer once the feature is activated.It is not feasible to globally enable
accept-proxyfor the health check frontend becausemonitalso utilizes this frontend for the Remote host Service check, and it does not support the Proxy Protocol. Therefore, we are employing theexpect-proxyfeature to avoid expecting the proxy protocol for requests originating from localhost (i.e.,monit).2. Stick-Table Size Adjustment for IPv6
Currently, requests from IPv6 source addresses (either via Proxy Protocol or when HAProxy operates in dualstack/
v4v6enabled-mode) cannot be rate-limited. This limitation is due to the stick tables used for rate limiting being of theiptype, which cannot store the longer IPv6 addresses. This PR modifies the type toipv6, enabling the storage of both IPv4 and IPv6 addresses (see HAProxy documentation). The additional memory overhead is negligible.