This Pull Request introduces two changes to enhance the IPv6 support of haproxy-boshrelease:
1. Proxy Protocol Adjustment for Health Check Frontend
AWS Network Load Balancers (NLBs) utilize the same Proxy Protocol setting for both forwarded traffic and health checks, as outlined in the AWS documentation.
The existing accept_proxy configuration property only applies the accept-proxy setting (refer to the HAProxy documentation) to the http and https frontends, excluding the health check frontend. This exclusion leads to the HAProxies being perceived as unhealthy by the load balancer once the feature is activated.
It is not feasible to globally enable accept-proxy for the health check frontend because monit also utilizes this frontend for the Remote host Service check, and it does not support the Proxy Protocol. Therefore, we are employing the expect-proxy feature to avoid expecting the proxy protocol for requests originating from localhost (i.e., monit).
2. Stick-Table Size Adjustment for IPv6
Currently, requests from IPv6 source addresses (either via Proxy Protocol or when HAProxy operates in dualstack/v4v6 enabled-mode) cannot be rate-limited. This limitation is due to the stick tables used for rate limiting being of the ip type, which cannot store the longer IPv6 addresses. This PR modifies the type to ipv6, enabling the storage of both IPv4 and IPv6 addresses (see HAProxy documentation). The additional memory overhead is negligible.
This Pull Request introduces two changes to enhance the IPv6 support of
haproxy-boshrelease
:1. Proxy Protocol Adjustment for Health Check Frontend
AWS Network Load Balancers (NLBs) utilize the same Proxy Protocol setting for both forwarded traffic and health checks, as outlined in the AWS documentation.
The existing
accept_proxy
configuration property only applies theaccept-proxy
setting (refer to the HAProxy documentation) to thehttp
andhttps
frontends, excluding the health check frontend. This exclusion leads to the HAProxies being perceived as unhealthy by the load balancer once the feature is activated.It is not feasible to globally enable
accept-proxy
for the health check frontend becausemonit
also utilizes this frontend for the Remote host Service check, and it does not support the Proxy Protocol. Therefore, we are employing theexpect-proxy
feature to avoid expecting the proxy protocol for requests originating from localhost (i.e.,monit
).2. Stick-Table Size Adjustment for IPv6
Currently, requests from IPv6 source addresses (either via Proxy Protocol or when HAProxy operates in dualstack/
v4v6
enabled-mode) cannot be rate-limited. This limitation is due to the stick tables used for rate limiting being of theip
type, which cannot store the longer IPv6 addresses. This PR modifies the type toipv6
, enabling the storage of both IPv4 and IPv6 addresses (see HAProxy documentation). The additional memory overhead is negligible.