Support for proxy_protocol for proxysql behind aws load balancer

sysown / proxysql

High-performance MySQL proxy with a GPL license.

http://www.proxysql.com

GNU General Public License v3.0

5.88k stars 962 forks source link

Support for proxy_protocol for proxysql behind aws load balancer #2497

Open pipozzz opened 4 years ago

pipozzz commented 4 years ago

Hello,

is it possible to implement proxy_protocol on proxysql to see real remote IP of client ?

We would like to use new feature from v2.0.9 called firewall whitelist, but our proxysql servers are running behind TCP load balancer and we still see only load balancer's IP obviously.

Thank you.

renecannao commented 4 years ago

If my understanding is correct, this is NOT a duplicate of #1971 or #2241 .

Because ProxySQL is behind a TCP load balancer, to me this request makes sense!

nvtkaszpir commented 4 years ago

Unfortunately it looks like a duplicate:

https://aws.amazon.com/about-aws/whats-new/2013/07/30/elastic-load-balancing-now-supports-proxy-protocol/ (yeah it's ancient post but still valid)
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html (EC2 ELB Classic)
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-group-attributes (proxy v2 support in target groups)

So I guess the FR are asking to implement support for proxy protocol and extracting source IP from incoming PROXY header, so that it could be used for whitelisting.

It is doable, for example it can be used with nginx to whitelist request which come in to AWS ELB on nginx level and not on AWS ELB net/security rules.

pipozzz commented 4 years ago

No, I need to use source IP in proxysql firewall whitelisting feature and have more granular option to whitelist certain mysql user from certain IP/subnet to run queries and this proxysql is behind ELB.

pipozzz commented 4 years ago

Any update?

pipozzz commented 4 years ago

Any update?

renecannao commented 4 years ago

Reopening, because we may work on it sometime in the future

thunkWaltz commented 2 years ago

Hi, Looks like there are some conflicts in the merge, so fix is still not available. Is there any plan to take this fix?

TomaszKorwel commented 3 months ago

We have the same use case -> our proxysql is behind load balancer and we'd like to be able to handle query rules based on actual client IP, right now all connections are 'seen' as originating from load balancer.

dankow commented 2 weeks ago

We also have a need for this feature, as we are planning to put our ProxySQL servers behind a TCP load balancer.

charles-001 commented 2 weeks ago

+1 this would be great to have