Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for proxy protocol v2 #675

Open
UltraInstinct14 opened this issue May 13, 2024 · 6 comments
Open

Support for proxy protocol v2 #675

UltraInstinct14 opened this issue May 13, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@UltraInstinct14
Copy link
Contributor

Is your feature request related to a problem? Please describe.
In many NAT nodes used by loxilb, the original sourceIP gets obfuscated at the endpoint. It might result in problem of accounting various things related to the original source such as abuse, DDOS attacks or to keep simple statistical counts.

Describe the solution you'd like
loxilb needs to implement proxy protocol v2. Currently many web-servers already support it

Describe alternatives you've considered
N/A

Additional context
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
@UltraInstinct14 UltraInstinct14 added the enhancement New feature or request label May 13, 2024
@6547709
Copy link

6547709 commented Nov 4, 2024

I also need this feature;
Background:
I have always used the architecture of deploying LoadBalancer outside the cluster, which has a clear architecture, short path (LB->PodIP), and better performance (adjusting virtual machine/bare metal configuration). When I use TCP service or Ingress, the source IP (one-arm/FullNAT) cannot be correctly identified;
Requirement:
If LoxiLB can support Proxy protocol V2, these problems can be solved.

@barryiron
Copy link

Also in need of this feature, would be great if it can be prioritized. Thanks!

TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 24, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
9a33276
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 25, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
4ad8907
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 26, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
1cd2d8c
TrekkieCoder added a commit to loxilb-io/loxicmd that referenced this issue Nov 26, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support to enable proxy protocol v2
13c8d12
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 26, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
85c2f86
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
38319bc
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
e59b5b4
TrekkieCoder added a commit to TrekkieCoder/loxilb that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io#675 Initial support for proxy protocol v2
1bb8a1b
inhogog2 added a commit to loxilb-io/loxicmd that referenced this issue Nov 27, 2024
@inhogog2
Merge pull request #33 from loxilb-io/proxy-proto-v2
a471c22 
loxilb-io/loxilb#675 Initial support to enable proxy protocol v2
TrekkieCoder added a commit to TrekkieCoder/loxilb that referenced this issue Nov 27, 2024
@TrekkieCoder
Merge pull request #2 from TrekkieCoder/proxy-proto-v2
a2a83e3 
loxilb-io#675 Initial support for proxy protocol v2
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 27, 2024
@TrekkieCoder
Merge pull request #65 from loxilb-io/proxy-proto-v2
9d182a2 
PR - loxilb-io/loxilb#675 Initial support for proxy protocol v2
TrekkieCoder added a commit to TrekkieCoder/loxilb that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io#675 Initial support for proxy protocol v2
b0cce27
TrekkieCoder added a commit to loxilb-io/kube-loxilb that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Initial support for proxy protocol v2
31e9582
UltraInstinct14 added a commit that referenced this issue Nov 27, 2024
@UltraInstinct14
Merge pull request #889 from TrekkieCoder/main
9b6d66c 
#675 Initial support for proxy protocol v2
UltraInstinct14 added a commit to loxilb-io/kube-loxilb that referenced this issue Nov 27, 2024
@UltraInstinct14
Merge pull request #210 from loxilb-io/proxy-proto-v2
bee462b 
loxilb-io/loxilb#675 Initial support for proxy protocol v2
TrekkieCoder added a commit to loxilb-io/loxilb-ebpf that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io/loxilb#675 Fixed minor issue in fullnat mode for proxy prot…
46ead7d 
…ocol v2
TrekkieCoder added a commit to TrekkieCoder/loxilb that referenced this issue Nov 27, 2024
@TrekkieCoder
loxilb-io#675 Fixed minor issues for proxy protocol v2 support
e5a8f7c
UltraInstinct14 added a commit that referenced this issue Nov 27, 2024
@UltraInstinct14
Merge pull request #890 from TrekkieCoder/main
4a4edca 
#675 Fixed minor issues for proxy protocol v2 support
@TrekkieCoder
Copy link
Collaborator

Landed initial support. Details can be found here

@6547709
Copy link

6547709 commented Nov 27, 2024

I just did a test, using Ingress-Nginx, but I can't access ingress.

ingress-nginx logs(10.40.41.91/92 is loxilb'ip):

2024/11/27 14:05:00 [error] 578#578: *96633 broken header: "" while reading PROXY protocol, client: 10.40.41.91, server: 0.0.0.0:443
2024/11/27 14:05:00 [error] 862#862: *96700 broken header: "" while reading PROXY protocol, client: 10.40.41.92, server: 0.0.0.0:443

apiVersion: v1
kind: Service
metadata:
  annotations:
    loxilb.io/staticIP: 10.60.11.10
    loxilb.io/usepodnetwork: "yes"
    loxilb.io/useproxyprotov2: "yes"
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 10.253.5.62
  clusterIPs:
  - 10.253.5.62
  externalTrafficPolicy: Local
  healthCheckNodePort: 32261
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  loadBalancerClass: loxilb.io/loxilb
  ports:
  - appProtocol: http
    name: http
    nodePort: 30624
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    nodePort: 30100
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  sessionAffinity: None
  type: LoadBalancer

core@LoxiLB-02 ~ $ docker exec -it loxilb loxicmd get lb -o wide
|   EXT IP    | SEC IPS | SOURCES | HOST | PORT | PROTO |                      NAME                      | MARK | SEL  |     MODE     |   ENDPOINT   | EPORT | WEIGHT | STATE  | COUNTERS  |
|-------------|---------|---------|------|------|-------|------------------------------------------------|------|------|--------------|--------------|-------|--------|--------|-----------|
| 10.60.11.10 |         |         |      |   80 | tcp   | ingress-nginx_ingress-nginx-controller:default |    0 | rr   | fullnat:ppv2 | 10.254.2.137 |    80 |      1 | -      | 0:0       |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.5.137 |    80 |      1 | -      | 0:0       |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.6.144 |    80 |      1 | -      | 0:0       |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.1.185 |    80 |      1 | -      | 0:0       |
| 10.60.11.10 |         |         |      |  443 | tcp   | ingress-nginx_ingress-nginx-controller:default |    0 | rr   | fullnat:ppv2 | 10.254.2.137 |   443 |      1 | -      | 86:56498  |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.5.137 |   443 |      1 | -      | 104:66842 |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.6.144 |   443 |      1 | -      | 103:65749 |
|             |         |         |      |      |       |                                                |      |      |              | 10.254.1.185 |   443 |      1 | -      | 88:57036  |


core@LoxiLB-02 ~ $ docker exec -it loxilb loxicmd get ip
| DEVICE NAME |          IP ADDRESS          |
|-------------|------------------------------|
| docker0     | 172.17.0.1/16                |
| ens192      | 10.40.41.92/24               |
|             | fe80::250:56ff:fe88:1e5c/64  |
| ens224      | 10.60.2.92/16                |
|             | fe80::250:56ff:fe88:93a/64   |
| llb0        | fe80::acbb:f9ff:fef1:d170/64 |
| lo          | 127.0.0.1/8                  |
|             | ::1/128                      |
|             | 10.60.11.7/32                |
|             | 10.60.11.3/32                |
|             | 10.60.11.4/32                |
|             | 10.60.11.5/32                |
|             | 10.60.11.10/32               |

@UltraInstinct14
Copy link
Contributor Author

Was able to test based on instructions for v2 here. My setup does not have an ingress. I am running an nginx app pod (LB -> nginx pods).

@6547709
Copy link

6547709 commented Nov 28, 2024

ok. I'll look into why it doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@6547709 @UltraInstinct14 @TrekkieCoder @barryiron