-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy proto header generation #1031
Comments
@PiotrSikora I suspect we're going to need this in combination with routing based on SNI sniffing otherwise we'll lose the original IP |
FWIW I'm not convinced the PROXY header will be sufficient for our (GFE's) needs. The linked doc mentions intentional limited extensibility and I believe we're going to want terminating cluster, p0f information, rtt etc. I suspect we'll get that from #2394 as we'll be TCP proxying over H2 for port reduction and connection reuse. |
@alyssawilk yes, HTTP/2 CONNECT + METADATA combo is superior, but it only works for traffic between proxies that support it. We'd use PROXY protocol on the last mile, when talking to remote 3rd-party TCP application servers (#2659 might be a better alternative when talking with AFEs on localhost). |
We'll need this soon as well, for tcp proxying. |
Let's start discussing implementation. First question: is this ever needed for a non-tcpproxy use case? If not, then the implementation can go into tcpproxy and it will be pretty simple. If yes, then my first thought would be to make it a network filter on the on the upstream connection (See #173). Or I suppose it could also be implemented by a network filter on the downstream side, as the last filter before TcpProxy, but that seems less elegant. Thoughts and opinions? |
IMO we should do this as an upstream connection network filter, especially since that work has already started? |
Oh, I didn't see that the work had started (I'm pretty far behind on stuff this week). In that case, I agree. |
We'll need to figure out a nice way of passing the downstream remote address to the upstream connection. Possibly pass an optional RequestInfo when creating a ClientConnection? |
@ggreenway that seems reasonable to me. @alanconway WDYT? |
I am always translating to/from HTTP and letting envoy's existing HTTP router in the middle decide which upstream connection to use - it has the usual HTTP info to do that. |
I saw from other issues that it looks like upstream network filters are finished now. Is there active work on an upstream network filter for the proxy protocol? No pressure or anything; I'm just curious. |
I don't think anyone is working on this. Help wanted! |
@wez470 Was asking about this recently on slack: https://envoyproxy.slack.com/archives/C78HA81DH/p1578696402042700?thread_ts=1578696402.042700. Not sure what the status of that work is though. |
I've been looking into it and would like to take up this work. I was actually just about to post more questions about it in slack. I'll link the discussion here after it happens, or at least add a summary. edit - link to slack message: https://envoyproxy.slack.com/archives/C78HA81DH/p1580149986114100 |
If it helps, here is a link to the pull request that adds support for upstream network filters: 0f892c2 And here is a link directly to the "polite filter" integration test added by that commit, which may help as an example of how to create an upstream network filter: https://github.com/envoyproxy/envoy/blob/master/test/integration/cluster_filter_integration_test.cc |
@mattklein123 @ggreenway I wanted to have a discussion about how to best pass the stream info when creating a new connection. To get things working so I could start building the filter, I just added a raw pointer. https://github.com/envoyproxy/envoy/compare/master...wez470:proxy-protocol-filter?expand=1#diff-0e411ba198bbc88e25d450f78141647fR207. At first I was thinking of Code is still a work in progress for sure. Let me know if I should include anyone else in discussions. I just tagged you two since you've been active on this issue. |
IIRC in very recent changes all the streamInfo() accessors are moving to shared_ptr, so I think you are probably fine? Check current master? |
Oh! Okay, I'll check that out. |
Hmm, not seeing this on master, at least for tcp_proxy (https://github.com/envoyproxy/envoy/blob/master/source/common/tcp_proxy/tcp_proxy.h#L305). Took a quick glance at PRs and didn't see anything obviously related. |
See #9949 and recent PR by @gargnupur |
Description: Add utility functions for generating v1 and v2 PROXY protocol headers. This is the first step to adding Envoy PROXY proto generation support. These functions can also be used in other places that would also like to generate the header. Risk Level: Low Testing: Unit Docs Changes: None Release Notes: None Related to #1031 Signed-off-by: Weston Carlson <wez470@gmail.com>
Commit Message: Add proxy proto transport socket Additional Description: This is the part 1 PR described in #10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?) Risk Level: Small Testing: Unit Docs Changes: None Release Notes: None Part Of: #1031 Signed-off-by: Weston Carlson <wez470@gmail.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Commit Message: Add proxy proto transport socket Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?) Risk Level: Small Testing: Unit Docs Changes: None Release Notes: None Part Of: #1031 Signed-off-by: Weston Carlson <wez470@gmail.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io> Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Commit Message: Add proxy proto transport socket Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?) Risk Level: Small Testing: Unit Docs Changes: None Release Notes: None Part Of: envoyproxy#1031 Signed-off-by: Weston Carlson <wez470@gmail.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Commit Message: Add proxy proto transport socket Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?) Risk Level: Small Testing: Unit Docs Changes: None Release Notes: None Part Of: envoyproxy#1031 Signed-off-by: Weston Carlson <wez470@gmail.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io> Signed-off-by: chaoqinli <chaoqinli@google.com>
Today, Envoy supports consuming the http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt PROXY header in new connections in the Listener. It would also be useful (we'll need it at Google) to be able to generate the PROXY header when performing TCP proxying.
The text was updated successfully, but these errors were encountered: