Proxy Protocol Discussion

["Steven R. Feltner" <sf...@godaddy.com>]

Following up on our recent, brief discussion in IRC on Tuesday regarding implementing Proxy Protocol in ATS…

After pressing for more requirements, it turns out my use case is similar to unixwitch.  In our case, the load balancer will produce the Proxy Protocol headers that get passed to an ingress controller (nginx).  nginx is then going to do a full TCP pass-through to ATS, so nginx will reproduce/pass-on the Proxy Protocol headers.  ATS will then have to interpret data from the socket, inspect the PROXY headers, terminate TLS and pass the PROXY headers downstream to back-end web servers.

Since the incoming data coming into ATS is TCP, the “Forwarded:” header will not work in our case.

I can work on this full time.  I could just use some direction on the best way to implement and where to start.

Thanks,
Steven

Re: Proxy Protocol Discussion

[Alan Carroll <so...@oath.com.INVALID>]

I'd forgotten about those PortDescriptor calls :-). I've been thinking
about this and a way to do this in core might be to allow plugin access to
the ProtocolProbe logic. The plugin would specify basic a string_view to
match (size and exact byte sequence) and the protocol probe would look for
that and Accept on the plugin if matched. It'd be nice if the plugin could
"pass it back" to the normal accept after stripping the wrapper. You'd want
some kind of wrapper injection for outbound.

On Thu, Oct 26, 2017 at 5:16 PM, James Peach <jp...@apache.org> wrote:

>
> > On Oct 26, 2017, at 2:34 PM, Steven R. Feltner <sf...@godaddy.com>
> wrote:
> >
> > Following up on our recent, brief discussion in IRC on Tuesday regarding
> implementing Proxy Protocol in ATS…
> >
> > After pressing for more requirements, it turns out my use case is
> similar to unixwitch.  In our case, the load balancer will produce the
> Proxy Protocol headers that get passed to an ingress controller (nginx).
> nginx is then going to do a full TCP pass-through to ATS, so nginx will
> reproduce/pass-on the Proxy Protocol headers.  ATS will then have to
> interpret data from the socket, inspect the PROXY headers, terminate TLS
> and pass the PROXY headers downstream to back-end web servers.
> >
> > Since the incoming data coming into ATS is TCP, the “Forwarded:” header
> will not work in our case.
> >
> > I can work on this full time.  I could just use some direction on the
> best way to implement and where to start.
>
> FWIW, this is implementable as a plugin (see https://github.com/apache/
> trafficserver/blob/master/example/passthru/passthru.cc for 90% of the
> code you'd need). It would be a neat feature for core though
>
> J

Re: Proxy Protocol Discussion

[James Peach <jp...@apache.org>]

> On Oct 26, 2017, at 2:34 PM, Steven R. Feltner <sf...@godaddy.com> wrote:
> 
> Following up on our recent, brief discussion in IRC on Tuesday regarding implementing Proxy Protocol in ATS…
> 
> After pressing for more requirements, it turns out my use case is similar to unixwitch.  In our case, the load balancer will produce the Proxy Protocol headers that get passed to an ingress controller (nginx).  nginx is then going to do a full TCP pass-through to ATS, so nginx will reproduce/pass-on the Proxy Protocol headers.  ATS will then have to interpret data from the socket, inspect the PROXY headers, terminate TLS and pass the PROXY headers downstream to back-end web servers.
> 
> Since the incoming data coming into ATS is TCP, the “Forwarded:” header will not work in our case.
> 
> I can work on this full time.  I could just use some direction on the best way to implement and where to start.

FWIW, this is implementable as a plugin (see https://github.com/apache/trafficserver/blob/master/example/passthru/passthru.cc for 90% of the code you'd need). It would be a neat feature for core though

J