You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Adi Mallikarjuna Reddy V <ad...@gmail.com> on 2019/01/22 22:31:21 UTC

Client IP

Our setup is like this in AWS.

          (HTTPS)            (HTTPS)
Client  ======>   ELB ======> EC2 instance (ATS) ====> Origin

We are not terminating HTTPs at ELB, continuing HTTPS all the way till the
node that runs ATS. In this case, if we look at squid.log, it shows ELB IP
as client IP, instead of the real client IP.

Is there anything wrong with this setup/configuration?


Thanks
Adi

Re: Client IP

Posted by Shu Kit Chan <ch...@gmail.com>.

So, according to this,

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-elb-listenerconfig-quickref.html

you can use the proxy protocol to pass the read client IP along and
ATS has recently added support for that feature as well -
https://github.com/apache/trafficserver/pull/3956

Thanks.

Kit

On Tue, Jan 22, 2019 at 2:31 PM Adi Mallikarjuna Reddy V
<ad...@gmail.com> wrote:
>
> Our setup is like this in AWS.
>
>           (HTTPS)            (HTTPS)
> Client  ======>   ELB ======> EC2 instance (ATS) ====> Origin
>
> We are not terminating HTTPs at ELB, continuing HTTPS all the way till the node that runs ATS. In this case, if we look at squid.log, it shows ELB IP as client IP, instead of the real client IP.
>
> Is there anything wrong with this setup/configuration?
>
>
> Thanks
> Adi
>
>

Re: Client IP

Posted by "Steven R. Feltner" <sf...@godaddy.com>.

Hi, Adi…

First, you’ll need to enable the Proxy Protocol on your ELB.  That will pass the Proxy Protocol information (client IP) on to your EC2 Instance running ATS.  In your ATS config, you’ll need to enable the Proxy Protocol on your port (proxy.config.http.server_ports in records.config) and you’ll need to enable inserting the Forwarded: header (proxy.config.http.insert_forwarded in records.config).  ATS will then accept the ProxyProtocol v1 header and transform that information to the Forwarded: header that then gets passed to your origin.

This is available starting in ATS v8.0.x and is documented here: Proxy Protocol<https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/configuration/proxy-protocol.en.html?highlight=proxy%20protocol>

Thanks,
Steven

From: Adi Mallikarjuna Reddy V <ad...@gmail.com>
Reply-To: "users@trafficserver.apache.org" <us...@trafficserver.apache.org>
Date: Tuesday, January 22, 2019 at 6:31 PM
To: "users@trafficserver.apache.org" <us...@trafficserver.apache.org>
Subject: Client IP

Our setup is like this in AWS.

          (HTTPS)            (HTTPS)
Client  ======>   ELB ======> EC2 instance (ATS) ====> Origin

We are not terminating HTTPs at ELB, continuing HTTPS all the way till the node that runs ATS. In this case, if we look at squid.log, it shows ELB IP as client IP, instead of the real client IP.

Is there anything wrong with this setup/configuration?


Thanks
Adi