search

projectcontour / contour

Contour is a Kubernetes ingress controller using Envoy proxy.
https://projectcontour.io
Apache License 2.0
3.7k stars 672 forks source link

Offer PROXY protocol listeners in addition to HTTP(S) listeners #1257

Closed bgagnon closed 4 days ago

bgagnon commented 5 years ago

Currently, the --use-proxy-protocol adds the filter on all listeners (HTTP and HTTPS). This prevents Envoy from answering direct requests that do not speak the PROXY protocol.

Example:

--envoy-service-http-port=80
--envoy-service-https-port=443
--use-proxy-protocol

With this feature, the PROXY protocol listener would be separated from the http and https listeners.

Keeping backward compatibility, something like this could work:

--envoy-service-http-port=80
--envoy-service-https-port=443
--envoy-service-proxy-protocol-port=8443
--use-proxy-protocol

The use cases are the following:

Ideally, Envoy would simply detect the presence or absence of the PROXY headers, but this is explicitly forbidden by the protocol, according to the Envoy docs:

Protocol must be present on the connection (either version 1 or version 2), the standard does not allow parsing to determine if it is present or not.

davecheney commented 5 years ago

Thank you for raising this issue. Its not on the roadmap for Contour 1.0, but I'll add it to the unplanned milestone for consideration after Contour 1.0 ships.

github-actions[bot] commented 1 month ago

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

You can:

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] commented 4 days ago

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

You can:

Please send feedback to the #contour channel in the Kubernetes Slack