You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Guillermo Grandes <gu...@gmail.com> on 2014/12/09 23:52:39 UTC

Re: [users@httpd] Support for Proxy Protocol

Hi Zhang,

I had this problem too, and this is a module that support PROXY protocol for Apache 2.2/2.4, may be solve your problem?

For Apache 2.4: http://goo.gl/ThoZXN
For Apache 2.2: http://goo.gl/pxsCVm

The source code (beta) is Hosted in Github and licensed under Apache 2.0 License.

Original Article:
http://wp.me/p19O7G-na 


Best regards,
Guillermo

  ----- Original Message ----- 
  From: Zhang Zhang 
  To: users@httpd.apache.org 
  Sent: Friday, August 22, 2014 6:46 PM
  Subject: [users@httpd] Support for Proxy Protocol


  Hi,  


  I have a problem that I don't know how to resolve. It is very appreciated if anyone could share some thought on how to resolve it.


  Scenario:
  I have an ELB setup in AMS cloud, there are two apache servers (2.4.4) behind the ELB, act as gateway, the apache servers is listing to port 443 which is a HTTPS port, ELB is setup with TCP/SSL, when a request comes in to ELB, ELB will forward it to apache servers, and apache servers will forward it to down stream servers with proxypass directive. 


  Issue:
  There is an issue in this setup, the ELB is stopping the down stream server to get source IP address of the request, what apache server can see is the message is coming from ip addresses of ELB instances, not the actual sender's ip address. I can not change the ELB to use HTTP/HTTPS and take advantage of the "X-Forward-" headers, because the special mutual authentication I need for the apache instances. The ELB of AWS support a TCP protocol called "Proxy Protocol v1" which is able to forward the source ip address to apache.


  Proxy Protocol:
  Proxy Protocol is a protocol for TCP/SSL load balancer to carry source IP address information and forward to down stream servers, the message with a HTTP GET request would looks like:
    PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
    GET / HTTP/1.1\r\n
    Host: 192.168.0.11\r\n
    \r\nBasically this protocol add a new line after the TCP headers and before the body.
  For HTTPS it is more complex, I imagine the message for HTTPS would looks like:
    PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
    <Encrypted binary>Here is the link to the protocol:http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
Question:Obviously this new line before the request body will cause SSL and other module fail, how we going to support this "Proxy Protocol" ?ThanksJJ