Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom ProxyProtocol Listener Filter #5403

Closed
asayah opened this issue Sep 29, 2021 · 4 comments
Closed

Custom ProxyProtocol Listener Filter #5403

asayah opened this issue Sep 29, 2021 · 4 comments
Assignees
@kdorosh
Labels
Size: L 1 - 2 weeks Type: Enhancement New feature or request
Milestone
v1.10 CREQS

Comments

@asayah
Copy link
Contributor

asayah commented Sep 29, 2021
edited by sam-heilbron
Loading

PROXY Protocol

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol#config-listener-filters-proxy-protocol

https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt

Background:

The PROXY protocol provides a convenient way to safely transport connection
   information such as a client's address across multiple layers of NAT or TCP
   proxies. It is designed to require little changes to existing components and
   to limit the performance impact caused by the processing of the transported
   information.

Import implementation detail:

In both cases, the protocol simply consists in an easily parsable header placed
by the connection initiator at the beginning of each connection. The protocol
is intentionally stateless in that it does not expect the sender to wait for
the receiver before sending the header, nor the receiver to send anything back.

Proposal

The proposal here is to implement a custom listener filter which adds suppport for Proxy Protocol (https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol), but on error, instead of replicating the existing filter:

If there is a protocol error or an unsupported address family (e.g. AF_UNIX) the connection will be closed and an error thrown.

we will continue processing the connection without Proxy Protocol.

Gloo Edge

We enable/disable this filter using the Gateway resource:

// Enable ProxyProtocol support for this listener
google.protobuf.BoolValue use_proxy_proto = 8;

Previous issue related to PROXY protocol: solo-io#5116

Additional Notes

Yuval has some experience implementing a similar pattern for SNI inspection. If you pick this up, sync with him on how to approach.
This would be applied to the envoy-gloo-ee repository.
@asayah asayah added the Type: Enhancement New feature or request label Sep 29, 2021
@phenixblue
Copy link

We're looking to support healthchecks from downstream load balancers that might not be able to wrap healthcheck requests in Proxy Protocol, but still support Proxy Protocol for all other traffic. We want these health checks to flow through the Gloo Edge Dataplane, not be exposed through a NodePort or something else.

The Cloud Foundry GoRouters have some existing implementation for this where it examines a request and checks for the Proxy protocol header, if it doesn't exist it processes it without Proxy Protocol (additional CPU overhead, but a lot of flexibility/compatibility)

The most simplistic thing I can thing of is maybe an Envoy Filter that can disable Proxy Protocol on a per service config based on config within the VirtualService spec.

@chrisgaun chrisgaun added this to the Phase 1 - Metrics milestone Oct 1, 2021
@sam-heilbron
Copy link
Contributor

Reached out via Slack to discuss this further.

@sam-heilbron
Copy link
Contributor

The proposal here is to implement a custom listener filter which adds suppport for Proxy Protocol (https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol), but on error, instead of replicating the existing filter:

If there is a protocol error or an unsupported address family (e.g. AF_UNIX) the connection will be closed and an error thrown.

we will continue processing the connection without Proxy Protocol.

@sam-heilbron sam-heilbron changed the title ProxyProtocol Healthcheck Custom ProxyProtocol Listener Filter Oct 25, 2021
@sam-heilbron sam-heilbron added Size: L 1 - 2 weeks and removed Size: TBD labels Oct 25, 2021
@kdorosh kdorosh self-assigned this Nov 3, 2021
This was referenced Nov 3, 2021
Closed
Merged
@solo-changelog-bot solo-changelog-bot bot mentioned this issue Nov 17, 2021
Merged
8 tasks
@kdorosh
Copy link
Contributor

kdorosh commented Nov 18, 2021

released in Gloo Enterprise 1.9.3 and 1.8.21

@kdorosh kdorosh closed this as completed Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdorosh kdorosh

Labels
Size: L 1 - 2 weeks Type: Enhancement New feature or request
Projects
None yet
Milestone
v1.10 CREQS
Development

No branches or pull requests
5 participants
@sam-heilbron @asayah @chrisgaun @kdorosh @phenixblue