chisel-operator icon indicating copy to clipboard operation
chisel-operator copied to clipboard
verified publisher icon FyraLabs

proxy protocol issue within cluster

Open venkatamutyala opened this issue 4 months ago • 6 comments

I appear to be running into this issue within k8s because of kube-proxy + proxy protocol work: https://www.digitalocean.com/community/questions/how-to-support-internal-traffic-with-proxy-protocol-enabled-on-a-kubernetes-loadbalancer

Any recommendations on a solution?

venkatamutyala avatar Aug 14 '25 22:08 venkatamutyala

FYRA-342 proxy protocol issue within cluster

linear[bot] avatar Aug 14 '25 22:08 linear[bot]

I don't think we even have PROXY protocol support yet upstream? Note that Chisel Operator itself cannot filter any requests on its own so Chisel itself would have to do that.

My workaround is that I usually just set a custom DNS record (or hosts file) that points to the IP of the load balancer itself though, so I haven't gotten around to this case yet

korewaChino avatar Sep 27 '25 05:09 korewaChino

From what I understand, the issue you're encountering is that internal traffic towards a LBed service aren't getting proxy protocol headers? If so, we could implement a workaround such that the traffic wraps around to hit the LB and back, I wonder if there's a better solution for this though. If that's your situation, please let us know!

lleyton avatar Oct 17 '25 16:10 lleyton

Alternatively, a solution that may work better (if you have control over the underlying service) is to conditionally handle the PROXY protocol header, such that your service handles the case where the header isn't present.

lleyton avatar Oct 17 '25 16:10 lleyton

From what I understand, the issue you're encountering is that internal traffic towards a LBed service aren't getting proxy protocol headers? If so, we could implement a workaround such that the traffic wraps around to hit the LB and back, I wonder if there's a better solution for this though. If that's your situation, please let us know!

I believe this is the exact issue and would be the preferred solution even if there are additional internet/egress costs incurred.

Alternatively, a solution that may work better (if you have control over the underlying service) is to conditionally handle the PROXY protocol header, such that your service handles the case where the header isn't present.

Unfortunately a bit more challenging as some of the apps we are running are legacy and would be painful to add this in.

venkatamutyala avatar Nov 04 '25 05:11 venkatamutyala

There should be a fix in the linked PR, could you test it and see if it works for your setup? It sets the ip_mode to Proxy when the proxy protocol annotation is set, which should make it so the traffic hits the LoadBalancer.

lleyton avatar Nov 07 '25 08:11 lleyton