You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Fabrice Brazier <fa...@apalia.net> on 2012/07/16 10:56:22 UTC
Client source IP visibility
Hi Folks,
we need a way of configuring CloudStack load balancing with the integrated
ha-proxy load balancer without hiding the client (source) IP.
We see TPPROXY feature as a way of doing this, see
http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/
.
Does this functionality is already implemented ? Will be in the future?
A possible workaround would be to use the “X-Forwarded-For” header for
filtering IP addresses.
Thanks,
Fabrice
--
Fabrice Brazier
*Apalia*™*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.brazier@apalia.net*
Re: Client source IP visibility
Posted by Wido den Hollander <wi...@widodh.nl>.
Hi,
On 17-07-12 16:23, Fabrice Brazier wrote:
> Hi Edison,
>
> I think it would be doable with X-Forwarded-For as workaround in some
> cases.
>
> For Apache:
> -----------------------------------------------------
> <Location "/only_proxy/">
> SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
> Order allow,deny
> Satisfy Any
> Allow from env=proxy_env
> </Location>
> -----------------------------------------------------
>
> I also found this in the CloudStack Docs:
> http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
> +using+the+CloudStack+LoadBalancer
>
> For nginx there is a HttpRealipModule for stuff like that.
>
> But for our customers this would mean they have to adapt their
> applications and they would need to test and accept this solution in the
> POC.
> We would definitively like to see a solution which wouldn’t require on the
> application side.
Try mod_rpaf for Apache, that should do the trick.
Wido
>
> Regards,
> Fabrice
>
> --
> Fabrice Brazier
> Apalia™
> FR: +33-632-73-53-00
> http://www.apalia.net
> fabrice.brazier@apalia.net
>
>
> -----Message d'origine-----
> De : Edison Su [mailto:Edison.su@citrix.com]
> Envoyé : lundi 16 juillet 2012 19:54
> À : cloudstack; cloudstack-users@incubator.apache.org
> Objet : RE: Client source IP visibility
>
>
>
>> -----Original Message-----
>> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
>> Sent: Monday, July 16, 2012 1:56 AM
>> To: cloudstack-users@incubator.apache.org
>> Cc: cloudstack
>> Subject: Client source IP visibility
>>
>> Hi Folks,
>>
>>
>>
>> we need a way of configuring CloudStack load balancing with the
>> integrated ha-proxy load balancer without hiding the client (source)
>> IP.
>>
>> We see TPPROXY feature as a way of doing this, see
>> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
>> full-transparent-proxy/
>> .
>>
>>
>>
>> Does this functionality is already implemented ? Will be in the future?
>>
>
> It needs special kernel, not sure it works in debian squeeze kernel or
> not.
>
>>
>>
>> A possible workaround would be to use the "X-Forwarded-For" header for
>> filtering IP addresses.
>
> "option forwardfor" is already in haproxy configuration file, by default.
> Doesn't it work for you? If not, please fire a bug.
>
>>
>>
>>
>> Thanks,
>>
>> Fabrice
>>
>>
>>
>> --
>> Fabrice Brazier
>> *Apalia*(tm)*
>> *FR: +33-632-73-53-00
>> *http://www.apalia.net
>> fabrice.brazier@apalia.net*
RE: Client source IP visibility
Posted by Fabrice Brazier <fa...@apalia.net>.
Hi Edison,
I think it would be doable with X-Forwarded-For as workaround in some
cases.
For Apache:
-----------------------------------------------------
<Location "/only_proxy/">
SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
Order allow,deny
Satisfy Any
Allow from env=proxy_env
</Location>
-----------------------------------------------------
I also found this in the CloudStack Docs:
http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
+using+the+CloudStack+LoadBalancer
For nginx there is a HttpRealipModule for stuff like that.
But for our customers this would mean they have to adapt their
applications and they would need to test and accept this solution in the
POC.
We would definitively like to see a solution which wouldn’t require on the
application side.
Regards,
Fabrice
--
Fabrice Brazier
Apalia™
FR: +33-632-73-53-00
http://www.apalia.net
fabrice.brazier@apalia.net
-----Message d'origine-----
De : Edison Su [mailto:Edison.su@citrix.com]
Envoyé : lundi 16 juillet 2012 19:54
À : cloudstack; cloudstack-users@incubator.apache.org
Objet : RE: Client source IP visibility
> -----Original Message-----
> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
> Sent: Monday, July 16, 2012 1:56 AM
> To: cloudstack-users@incubator.apache.org
> Cc: cloudstack
> Subject: Client source IP visibility
>
> Hi Folks,
>
>
>
> we need a way of configuring CloudStack load balancing with the
> integrated ha-proxy load balancer without hiding the client (source)
> IP.
>
> We see TPPROXY feature as a way of doing this, see
> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
> full-transparent-proxy/
> .
>
>
>
> Does this functionality is already implemented ? Will be in the future?
>
It needs special kernel, not sure it works in debian squeeze kernel or
not.
>
>
> A possible workaround would be to use the "X-Forwarded-For" header for
> filtering IP addresses.
"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.
>
>
>
> Thanks,
>
> Fabrice
>
>
>
> --
> Fabrice Brazier
> *Apalia*(tm)*
> *FR: +33-632-73-53-00
> *http://www.apalia.net
> fabrice.brazier@apalia.net*
RE: Client source IP visibility
Posted by Fabrice Brazier <fa...@apalia.net>.
Hi Edison,
I think it would be doable with X-Forwarded-For as workaround in some
cases.
For Apache:
-----------------------------------------------------
<Location "/only_proxy/">
SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
Order allow,deny
Satisfy Any
Allow from env=proxy_env
</Location>
-----------------------------------------------------
I also found this in the CloudStack Docs:
http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
+using+the+CloudStack+LoadBalancer
For nginx there is a HttpRealipModule for stuff like that.
But for our customers this would mean they have to adapt their
applications and they would need to test and accept this solution in the
POC.
We would definitively like to see a solution which wouldn’t require on the
application side.
Regards,
Fabrice
--
Fabrice Brazier
Apalia™
FR: +33-632-73-53-00
http://www.apalia.net
fabrice.brazier@apalia.net
-----Message d'origine-----
De : Edison Su [mailto:Edison.su@citrix.com]
Envoyé : lundi 16 juillet 2012 19:54
À : cloudstack; cloudstack-users@incubator.apache.org
Objet : RE: Client source IP visibility
> -----Original Message-----
> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
> Sent: Monday, July 16, 2012 1:56 AM
> To: cloudstack-users@incubator.apache.org
> Cc: cloudstack
> Subject: Client source IP visibility
>
> Hi Folks,
>
>
>
> we need a way of configuring CloudStack load balancing with the
> integrated ha-proxy load balancer without hiding the client (source)
> IP.
>
> We see TPPROXY feature as a way of doing this, see
> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
> full-transparent-proxy/
> .
>
>
>
> Does this functionality is already implemented ? Will be in the future?
>
It needs special kernel, not sure it works in debian squeeze kernel or
not.
>
>
> A possible workaround would be to use the "X-Forwarded-For" header for
> filtering IP addresses.
"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.
>
>
>
> Thanks,
>
> Fabrice
>
>
>
> --
> Fabrice Brazier
> *Apalia*(tm)*
> *FR: +33-632-73-53-00
> *http://www.apalia.net
> fabrice.brazier@apalia.net*
RE: Client source IP visibility
Posted by Edison Su <Ed...@citrix.com>.
> -----Original Message-----
> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
> Sent: Monday, July 16, 2012 1:56 AM
> To: cloudstack-users@incubator.apache.org
> Cc: cloudstack
> Subject: Client source IP visibility
>
> Hi Folks,
>
>
>
> we need a way of configuring CloudStack load balancing with the
> integrated
> ha-proxy load balancer without hiding the client (source) IP.
>
> We see TPPROXY feature as a way of doing this, see
> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
> full-transparent-proxy/
> .
>
>
>
> Does this functionality is already implemented ? Will be in the future?
>
It needs special kernel, not sure it works in debian squeeze kernel or not.
>
>
> A possible workaround would be to use the "X-Forwarded-For" header for
> filtering IP addresses.
"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.
>
>
>
> Thanks,
>
> Fabrice
>
>
>
> --
> Fabrice Brazier
> *Apalia*(tm)*
> *FR: +33-632-73-53-00
> *http://www.apalia.net
> fabrice.brazier@apalia.net*
RE: Client source IP visibility
Posted by Edison Su <Ed...@citrix.com>.
> -----Original Message-----
> From: Fabrice Brazier [mailto:fabrice.brazier@apalia.net]
> Sent: Monday, July 16, 2012 1:56 AM
> To: cloudstack-users@incubator.apache.org
> Cc: cloudstack
> Subject: Client source IP visibility
>
> Hi Folks,
>
>
>
> we need a way of configuring CloudStack load balancing with the
> integrated
> ha-proxy load balancer without hiding the client (source) IP.
>
> We see TPPROXY feature as a way of doing this, see
> http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
> full-transparent-proxy/
> .
>
>
>
> Does this functionality is already implemented ? Will be in the future?
>
It needs special kernel, not sure it works in debian squeeze kernel or not.
>
>
> A possible workaround would be to use the "X-Forwarded-For" header for
> filtering IP addresses.
"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.
>
>
>
> Thanks,
>
> Fabrice
>
>
>
> --
> Fabrice Brazier
> *Apalia*(tm)*
> *FR: +33-632-73-53-00
> *http://www.apalia.net
> fabrice.brazier@apalia.net*