Akka-http: Support HAPROXY proxy protocol on the server side

Created on 8 Sep 2016  路  13Comments  路  Source: akka/akka-http

HAProxy defines a TCP-based "proxy protocol" that wraps / prefixes reverse-proxy traffic with metadata from the original client.

See http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt.

Issue by prettynatty
_Wednesday Jan 20, 2016 at 14:15 GMT_
_Originally opened as https://github.com/akka/akka/issues/19541_


Akka HTTP lacks proxy protocol support.
There already was a demand in spray/spray#846. It's impossible to implement anti-flood scenarios in case of plain tcp connections when there is no way to determine real client ip via HTTP headers passed from reverse proxy.

help wanted 1 - triaged nice-to-have (low-prio) server

Most helpful comment

Can we simply parse the haproxy line and add it to the request as a header?
Something like this?

cc: @jrudolph @sihil

All 13 comments

Comment by jrudolph
_Thursday Jan 21, 2016 at 08:28 GMT_


Here's a previous discussion on the mailing list: https://groups.google.com/d/msg/akka-user/TdrTq_3ebK8/31vj4MzPCAAJ

Comment by sclasen
_Wednesday Feb 24, 2016 at 18:49 GMT_


:+1: please add.

Comment by sclasen
_Wednesday Feb 24, 2016 at 18:51 GMT_


prior netty art http://netty.io/4.1/api/io/netty/handler/codec/haproxy/HAProxyMessage.html

馃憤 this would be really helpful so we don't have to unreliably guess the IP from the XFF header.

@sihil how is that related to XFF?

We principally use AWS ELBs for routing traffic. They support the proxy protocol for passing on the user's IP address to applications behind the ELB. As an alternative they also add an X-Forwarded-For header - but it is hard to correctly identify the user IP correctly without knowing all possible addresses of ELB hosts that it can pass through.

Ah, sorry, I just didn't understand what this ticket was about. Thanks for the clarification.

Updated the original ticket with more information.

Ah HA Proxy protocol, that makes sense now. Thanks for explaining, I also was wondering what was meant in the ticket title :)

Thanks @jrudolph.

If you have some pointers as to how to approach this or anything in akka-http that is a similar pattern then I'm open to having a bash at putting together a PR to address this. Unlikely to happen immediately due to other commitments though.

Can we simply parse the haproxy line and add it to the request as a header?
Something like this?

cc: @jrudolph @sihil

Support for this would be great. Right now our logs are littered with

Illegal request, responding with status '501 Not Implemented': Unsupported HTTP method: PROXY

entries, I'm not aware of a way to tell ELBs to only use XFF and not PROXY protocol (via kube at least).

I'm not aware of a way to tell ELBs to only use XFF and not PROXY protocol (via kube at least).

I've got no recent experience but it sounds unlikely that there's no way to turn it off. There are so many different HTTP backend implementations and by far not all of them support the proxy protocol.

That said, we would welcome a PR that adds the capability. @kchaitanya1195's work looks promising but I'd prefer to keep it out of the HTTP parser (because it's not related to HTTP). If it would be something more general it would also work with HTTP2 etc.

Was this page helpful?
0 / 5 - 0 ratings