Nexus daemons listening behind a TCP reverse proxy or load balancer wont get the real client source IP address.
Nginx and HAProxy workaround this by implementing the PROXY Protocol, which prepends a payload of the real client data before the raw tcp conversation.
We cannot try to read the first line of the TCP stream and check whether it contains PROXY protocol or not, because a non-trusted client could forge a proxy header and try to bypass an IP white/blacklist. Instead we should setup specific listeners for this proxyed connections and make sure that only a trusted balancer can reach the address
pho
commented
8 years ago
Nexus daemons listening behind a TCP reverse proxy or load balancer wont get the real client source IP address.
Nginx and HAProxy workaround this by implementing the PROXY Protocol, which prepends a payload of the real client data before the raw tcp conversation.
We cannot try to read the first line of the TCP stream and check whether it contains PROXY protocol or not, because a non-trusted client could forge a proxy header and try to bypass an IP white/blacklist. Instead we should setup specific listeners for this proxyed connections and make sure that only a trusted balancer can reach the address