-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable PROXY protocol for specific CIDRs in HAProxy #711
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some WIP comments. I know this is not ready yet.
12a92c0
to
0620360
Compare
Co-authored-by: Rizwan <[email protected]>
bcf58bf
to
156e328
Compare
Co-Authored-by: Alexander Lais <[email protected]> Co-Authored-by: Daria Anton <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving for CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. The description, or commit message, could be improved.
@Dariquest received some feedback already on this. This PR os not about IPv6, but about conditional Proxy Protocol handling. It benefits dual-stack roll-out on AWS, but is not the only possible use.
Removed the IPv6 and adjusted the description. Thanks! |
|
||
// Requests without Proxy Protocol Header should succeed | ||
expectTestServer200(http.Get("http://127.0.0.1:11000")) | ||
}) | ||
}) | ||
}) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might make sense to have an edge test case with empty except_proxy_cidr and check that the call without proxy will be successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
an empty except_proxy_cidrs
is equivalent to the property being off.
Hi @Dariquest , everything fine now. The only minor thing, you might want to add this sentence to spec |
Done, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR introduces a new property expect_proxy_cidrs, which accepts a list of CIDR ranges for which to expect the PROXY protocol. This property allows selective enablement of PROXY protocol based on the source IP address.
Expect_proxy_cidrs is mutually exclusive with the accept_proxy, which enables PROXY protocol for all connections, and will lead to validation failure if both are set to true.