Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy proto header generation #1031

Closed
htuch opened this issue May 30, 2017 · 20 comments · Fixed by #12762
Closed

Proxy proto header generation #1031

htuch opened this issue May 30, 2017 · 20 comments · Fixed by #12762
Labels
enhancement Feature requests. Not bugs or questions. help wanted Needs help!

Comments

@htuch
Copy link
Member

htuch commented May 30, 2017

Today, Envoy supports consuming the http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt PROXY header in new connections in the Listener. It would also be useful (we'll need it at Google) to be able to generate the PROXY header when performing TCP proxying.

@mattklein123 mattklein123 added the enhancement Feature requests. Not bugs or questions. label Jun 5, 2017
@mattklein123 mattklein123 added the help wanted Needs help! label Oct 28, 2017
@louiscryan
Copy link

@PiotrSikora I suspect we're going to need this in combination with routing based on SNI sniffing otherwise we'll lose the original IP

@alyssawilk
Copy link
Contributor

FWIW I'm not convinced the PROXY header will be sufficient for our (GFE's) needs. The linked doc mentions intentional limited extensibility and I believe we're going to want terminating cluster, p0f information, rtt etc. I suspect we'll get that from #2394 as we'll be TCP proxying over H2 for port reduction and connection reuse.

@PiotrSikora
Copy link
Contributor

@alyssawilk yes, HTTP/2 CONNECT + METADATA combo is superior, but it only works for traffic between proxies that support it. We'd use PROXY protocol on the last mile, when talking to remote 3rd-party TCP application servers (#2659 might be a better alternative when talking with AFEs on localhost).

@ggreenway
Copy link
Contributor

We'll need this soon as well, for tcp proxying.

@ggreenway
Copy link
Contributor

Let's start discussing implementation.

First question: is this ever needed for a non-tcpproxy use case?

If not, then the implementation can go into tcpproxy and it will be pretty simple.

If yes, then my first thought would be to make it a network filter on the on the upstream connection (See #173). Or I suppose it could also be implemented by a network filter on the downstream side, as the last filter before TcpProxy, but that seems less elegant.

Thoughts and opinions?

@mattklein123
Copy link
Member

IMO we should do this as an upstream connection network filter, especially since that work has already started?

@ggreenway
Copy link
Contributor

Oh, I didn't see that the work had started (I'm pretty far behind on stuff this week). In that case, I agree.

@ggreenway
Copy link
Contributor

We'll need to figure out a nice way of passing the downstream remote address to the upstream connection. Possibly pass an optional RequestInfo when creating a ClientConnection?

@mattklein123
Copy link
Member

@ggreenway that seems reasonable to me. @alanconway WDYT?

@alanconway
Copy link

I am always translating to/from HTTP and letting envoy's existing HTTP router in the middle decide which upstream connection to use - it has the usual HTTP info to do that.
I don't have an objection to passing up information from downstream out-of-band, but presently everything I need is in the message, be it in HTTP or AMQP form.

@kylebevans
Copy link

I saw from other issues that it looks like upstream network filters are finished now. Is there active work on an upstream network filter for the proxy protocol? No pressure or anything; I'm just curious.

@mattklein123
Copy link
Member

I don't think anyone is working on this. Help wanted!

@ggreenway
Copy link
Contributor

@wez470 Was asking about this recently on slack: https://envoyproxy.slack.com/archives/C78HA81DH/p1578696402042700?thread_ts=1578696402.042700. Not sure what the status of that work is though.

@wez470
Copy link
Contributor

wez470 commented Jan 27, 2020

I've been looking into it and would like to take up this work. I was actually just about to post more questions about it in slack. I'll link the discussion here after it happens, or at least add a summary.

edit - link to slack message: https://envoyproxy.slack.com/archives/C78HA81DH/p1580149986114100

@kylebevans
Copy link

If it helps, here is a link to the pull request that adds support for upstream network filters: 0f892c2

And here is a link directly to the "polite filter" integration test added by that commit, which may help as an example of how to create an upstream network filter: https://github.com/envoyproxy/envoy/blob/master/test/integration/cluster_filter_integration_test.cc

@wez470
Copy link
Contributor

wez470 commented Feb 13, 2020

@mattklein123 @ggreenway I wanted to have a discussion about how to best pass the stream info when creating a new connection.

To get things working so I could start building the filter, I just added a raw pointer. https://github.com/envoyproxy/envoy/compare/master...wez470:proxy-protocol-filter?expand=1#diff-0e411ba198bbc88e25d450f78141647fR207. At first I was thinking of absl::optional<StreamInfo>, but that doesn't work since it's a pure class. Potentially could be a shared pointer? Would mean updating a bunch of downstream side classes to hold the shared pointer I think. Do you have any other ideas?
Should this update be done in a separate PR?

Code is still a work in progress for sure. Let me know if I should include anyone else in discussions. I just tagged you two since you've been active on this issue.

@mattklein123
Copy link
Member

IIRC in very recent changes all the streamInfo() accessors are moving to shared_ptr, so I think you are probably fine? Check current master?

@wez470
Copy link
Contributor

wez470 commented Feb 13, 2020

Oh! Okay, I'll check that out.

@wez470
Copy link
Contributor

wez470 commented Feb 13, 2020

Hmm, not seeing this on master, at least for tcp_proxy (https://github.com/envoyproxy/envoy/blob/master/source/common/tcp_proxy/tcp_proxy.h#L305). Took a quick glance at PRs and didn't see anything obviously related.

@mattklein123
Copy link
Member

See #9949 and recent PR by @gargnupur

alyssawilk pushed a commit that referenced this issue Apr 2, 2020
Description: Add utility functions for generating v1 and v2 PROXY protocol headers. This is the first step to adding Envoy PROXY proto generation support. These functions can also be used in other places that would also like to generate the header.
Risk Level: Low
Testing: Unit
Docs Changes: None
Release Notes: None
Related to #1031

Signed-off-by: Weston Carlson <wez470@gmail.com>
alyssawilk pushed a commit that referenced this issue Jul 28, 2020
Commit Message: Add proxy proto transport socket

Additional Description: This is the part 1 PR described in #10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?)

Risk Level: Small
Testing: Unit
Docs Changes: None
Release Notes: None
Part Of: #1031

Signed-off-by: Weston Carlson <wez470@gmail.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
KBaichoo referenced this issue in KBaichoo/envoy Jul 30, 2020
Commit Message: Add proxy proto transport socket

Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?)

Risk Level: Small
Testing: Unit
Docs Changes: None
Release Notes: None
Part Of: #1031

Signed-off-by: Weston Carlson <wez470@gmail.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
chaoqin-li1123 pushed a commit to chaoqin-li1123/envoy that referenced this issue Aug 7, 2020
Commit Message: Add proxy proto transport socket

Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?)

Risk Level: Small
Testing: Unit
Docs Changes: None
Release Notes: None
Part Of: envoyproxy#1031

Signed-off-by: Weston Carlson <wez470@gmail.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
chaoqin-li1123 pushed a commit to chaoqin-li1123/envoy that referenced this issue Aug 7, 2020
Commit Message: Add proxy proto transport socket

Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?)

Risk Level: Small
Testing: Unit
Docs Changes: None
Release Notes: None
Part Of: envoyproxy#1031

Signed-off-by: Weston Carlson <wez470@gmail.com>
Co-authored-by: Lizan Zhou <lizan@tetrate.io>
Signed-off-by: chaoqinli <chaoqinli@google.com>
jpsim pushed a commit that referenced this issue Nov 28, 2022
needed for #12621

Signed-off-by: Jose Nino <jnino@lyft.com>
Signed-off-by: JP Simard <jp@jpsim.com>
jpsim pushed a commit that referenced this issue Nov 29, 2022
needed for #12621

Signed-off-by: Jose Nino <jnino@lyft.com>
Signed-off-by: JP Simard <jp@jpsim.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Feature requests. Not bugs or questions. help wanted Needs help!
Projects
None yet
9 participants