Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable PROXY protocol for specific CIDRs in HAProxy #711

Merged
merged 33 commits into from
Oct 2, 2024

Conversation

Dariquest
Copy link
Contributor

@Dariquest Dariquest commented Sep 9, 2024

This PR introduces a new property expect_proxy_cidrs, which accepts a list of CIDR ranges for which to expect the PROXY protocol. This property allows selective enablement of PROXY protocol based on the source IP address.
Expect_proxy_cidrs is mutually exclusive with the accept_proxy, which enables PROXY protocol for all connections, and will lead to validation failure if both are set to true.

@Dariquest Dariquest requested review from CFN-CI and a team as code owners September 9, 2024 09:16
@Dariquest Dariquest marked this pull request as draft September 9, 2024 09:16
jobs/haproxy/spec Outdated Show resolved Hide resolved
jobs/haproxy/spec Outdated Show resolved Hide resolved
jobs/haproxy/spec Outdated Show resolved Hide resolved
Copy link
Contributor

@peanball peanball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some WIP comments. I know this is not ready yet.

jobs/haproxy/templates/haproxy.config.erb Outdated Show resolved Hide resolved
spec/haproxy/templates/proxies_cidrs.txt_spec.rb Outdated Show resolved Hide resolved
Co-authored-by: Rizwan <[email protected]>
Co-Authored-by: Alexander Lais <[email protected]>
Co-Authored-by: Daria Anton <[email protected]>
maxmoehl
maxmoehl previously approved these changes Sep 26, 2024
maxmoehl
maxmoehl previously approved these changes Sep 27, 2024
Copy link
Member

@maxmoehl maxmoehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving for CI.

@Dariquest Dariquest changed the title Enable PROXY protocol for specific IPs in HAProxy Enable PROXY protocol for specific CIDRs in HAProxy Sep 30, 2024
peanball
peanball previously approved these changes Sep 30, 2024
Copy link
Contributor

@peanball peanball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The description, or commit message, could be improved.
@Dariquest received some feedback already on this. This PR os not about IPv6, but about conditional Proxy Protocol handling. It benefits dual-stack roll-out on AWS, but is not the only possible use.

@Dariquest
Copy link
Contributor Author

LGTM. The description, or commit message, could be improved. @Dariquest received some feedback already on this. This PR os not about IPv6, but about conditional Proxy Protocol handling. It benefits dual-stack roll-out on AWS, but is not the only possible use.

Removed the IPv6 and adjusted the description. Thanks!


// Requests without Proxy Protocol Header should succeed
expectTestServer200(http.Get("http://127.0.0.1:11000"))
})
})
})

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make sense to have an edge test case with empty except_proxy_cidr and check that the call without proxy will be successful.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an empty except_proxy_cidrs is equivalent to the property being off.

@Dariquest Dariquest dismissed stale reviews from peanball and maxmoehl via 4906e2d October 1, 2024 09:55
peanball
peanball previously approved these changes Oct 1, 2024
@b1tamara
Copy link
Contributor

b1tamara commented Oct 2, 2024

Hi @Dariquest , everything fine now. The only minor thing, you might want to add this sentence to spec expect_proxy_cidrs description: expect_proxy_cidrs is mutually exclusive with the accept_proxy and not only fail if these two properties are set at the same time.

@Dariquest
Copy link
Contributor Author

Hi @Dariquest , everything fine now. The only minor thing, you might want to add this sentence to spec expect_proxy_cidrs description: expect_proxy_cidrs is mutually exclusive with the accept_proxy and not only fail if these two properties are set at the same time.

Done, thanks!

Copy link
Contributor

@b1tamara b1tamara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@b1tamara b1tamara merged commit 85ae84f into cloudfoundry:master Oct 2, 2024
4 checks passed
@maxmoehl maxmoehl deleted the CFN-4684 branch October 10, 2024 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
run-ci Allow this PR to be tested on Concourse
Development

Successfully merging this pull request may close these issues.

6 participants