search

zalando / skipper

An HTTP router and reverse proxy for service composition, including use cases like Kubernetes Ingress
https://opensource.zalando.com/skipper/
Other
3.11k stars 349 forks source link

Proxy protocol support? #1068

Open gjcarneiro opened 5 years ago

gjcarneiro commented 5 years ago

Is your feature request related to a problem? Please describe.

I just been looking through the docs, and I couldn't find any mention of this proxy protocol support.

Describe the solution you would like

Support for the HAProxy proxy protocol

Additional context (optional)

Nginx ingress controller has this option: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol

I was looking for something similar in Skipper, as I have HAProxy as LB and I absolutely need to preserve the clent IP address.

Would you like to work on it? No

szuecs commented 5 years ago

@gjcarneiro from what I understood the haproxy PROXY protocol needs a TCP listener that supports it. Right now we are building on top of Go's ServeHTTP handler, which means we do not have the TCP Listen/Accept, nor parse HTTP ourselves. Go seems not to support the PROXY protocol, which we would either build into Go or we have to build the TCP Listen/Accept ourselves.

I am thinking a while about implementing an epoll TCP/IP listener into skipper, that would enable to implement the PROXY protocol, too.

Can you add a simple example config for haproxy into the issue, such that I can easily set it up and test it?

gjcarneiro commented 5 years ago

Sure, I understand!

Here's an excerpt of our HAProxy config, which we use in our K8S cluster. As you can see, the ingress controllers (ingress-nginx atm) listen on ports 8000 for http and 7443 for https, on some of the K8S nodes.

listen kube-nginx-http
        bind :80
        mode tcp
        option tcplog
        balance leastconn

        server hex-12c2-pm hex-12c2-pm:8000 inter 10s send-proxy check
        server hex-48b-pm hex-48b-pm:8000 inter 10s send-proxy check

listen kube-nginx-https
        bind :443
        mode tcp
        option tcplog
        balance leastconn

        server hex-12c2-pm hex-12c2-pm:7443 send-proxy inter 10s check check-ssl verify none
        server hex-48b-pm hex-48b-pm:7443 send-proxy inter 10s check check-ssl verify none
bojleros commented 2 years ago

I am deploying skipper with aws nlb and have just realized that service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" completly breaks connectivity. Our decision to stick with skipper was made on a basis of rich acl methods. Unfortunately without proxy-protocol it would not be possible to implement our whitelists. Do you think Traefik can be an useful example of proxy-protocol implementation?

szuecs commented 2 years ago

@bojleros you can check Traefik https://github.com/traefik/traefik/blob/master/go.mod#L65 and then use https://github.com/pires/go-proxyproto.

bojleros commented 2 years ago

@szuecs Ok, time to learn golang :)