Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PROXY Protocol v2 logging support #3807

Closed
jantman opened this issue Jan 17, 2018 · 8 comments · Fixed by #13540
Closed

PROXY Protocol v2 logging support #3807

jantman opened this issue Jan 17, 2018 · 8 comments · Fixed by #13540
Labels
community-sentiment Tracking high-profile issues from the community core Issues and Pull-Requests specific to Vault Core enhancement

Comments

@jantman
Copy link
Contributor

jantman commented Jan 17, 2018

Feature Request:

Vault currently supports using a client IP from a PROXY protocol header via the work done in #3098 and modified in #3195.

We're looking at leveraging a new AWS solution, PrivateLink, a SDN construct that allows securely exposing services behind Network Load Balancers (NLBs) in a "service provider" account, to multiple clients in separate AWS accounts - without network-level connections (i.e. it provides a virtual endpoint in client accounts, that routes traffic directly to a load balancer in a service provider account).

Traffic from such connections is seen as coming from a single source IP (the load balancer node), and the only information about which client it's coming from is encoded in a custom Type-Length-Value vector in a PROXY v2 header, per these docs from AWS.

I'll admit that I doubt many people outside of AWS have need for this, and I'm not entirely sure what would be involved in parsing this out or how that would be configured. But support for logging PROXYv2 fields (maybe in a way similar to how request headers are logged, via #2321) would be extremely helpful in this situation.

@JayH5
Copy link

JayH5 commented Jun 15, 2018

Just to add, NLBs are not only used for PrivateLink and can be used instead of Elastic/Classic Load Balancers (ELB). One big advantage of NLBs over ELBs is that a single NLB will have fixed private IPs, whereas ELB private IPs can change over time. Why this is important is that it means that NLB private IPs can be used for the proxy_protocol_authorized_addresses setting, but ELB ones cannot.

ELB supports only PROXY protocol v1, while NLB supports only v2.

To add v2 support to Vault it would first need to be added to the upstream library, go-proxyproto.

@thenoid
Copy link

thenoid commented Mar 10, 2019

I would like see this implemented as well, currently in a similar boat as the OP

@catsby catsby added core Issues and Pull-Requests specific to Vault Core enhancement labels Nov 7, 2019
@craigday
Copy link

I would like to see this as well. Just ran into this when adding IP constraints to an AppRole and was not seeing the client's IP addresses. We use NLB end expose Vault across multiple VPCs using endpoint services.

@thorix
Copy link

thorix commented May 26, 2020

We are having to use HAProxy to "fix" this problem. HAProxy isn't decrypting the traffic so some errors do not get returned correctly. This still seems to be a preferable solution.

@daveadams
Copy link
Contributor

daveadams commented Aug 29, 2020

Looks like there's an alternative implementation that supports proxy protocol v1 and v2: https://github.com/pires/go-proxyproto. It doesn't have exactly the same semantics as Armon's v1-only version, but it's pretty close. Support for proxy protocol v2 would be incredibly useful for logging purposes in our PrivateLink-deployed Vault clusters.

@pires
Copy link

pires commented Oct 28, 2020

Looks like there's an alternative implementation that supports proxy protocol v1 and v2: https://github.com/pires/go-proxyproto. It doesn't have exactly the same semantics as Armon's v1-only version, but it's pretty close. Support for proxy protocol v2 would be incredibly useful for logging purposes in our PrivateLink-deployed Vault clusters.

Hashicorp team has contributed to said repo - thanks, folks! - and seem to have adopted it for Boundary. I guess it's just a matter of priorities but it seems doable. I'm happy to help anyone wanting to pick this one up.

@vishalnayak
Copy link
Member

@pires Are you still interested in tackling this?

@pires
Copy link

pires commented Jul 10, 2021

I can try and take a look but I really only offered help if anyone was willing to take the work :D it's been a couple years since I last looked at Vault's code.

remilapeyre added a commit to remilapeyre/vault that referenced this issue Jan 2, 2022
I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes hashicorp#9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes hashicorp#3807
@heatherezell heatherezell added the community-sentiment Tracking high-profile issues from the community label Jan 18, 2022
hghaf099 pushed a commit that referenced this issue Mar 8, 2022
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes #9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes #3807

* Add changelog
hghaf099 pushed a commit that referenced this issue Mar 8, 2022
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes #9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes #3807

* Add changelog
hghaf099 added a commit that referenced this issue Mar 9, 2022
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes #9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes #3807

* Add changelog

Co-authored-by: Rémi Lapeyre <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community-sentiment Tracking high-profile issues from the community core Issues and Pull-Requests specific to Vault Core enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants