Support HAPROXY proxy protocol on the server side

[akka-ci]

HAProxy defines a TCP-based "proxy protocol" that wraps / prefixes reverse-proxy traffic with metadata from the original client.

See http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt.

Issue by prettynatty Wednesday Jan 20, 2016 at 14:15 GMT Originally opened as https://github.com/akka/akka/issues/19541

---

Akka HTTP lacks proxy protocol support. There already was a demand in spray/spray#846. It's impossible to implement anti-flood scenarios in case of plain tcp connections when there is no way to determine real client ip via HTTP headers passed from reverse proxy.

[akka-ci]

Comment by jrudolph Thursday Jan 21, 2016 at 08:28 GMT

---

Here's a previous discussion on the mailing list: https://groups.google.com/d/msg/akka-user/TdrTq_3ebK8/31vj4MzPCAAJ

[akka-ci]

Comment by sclasen Wednesday Feb 24, 2016 at 18:49 GMT

---

:+1: please add.

[akka-ci]

Comment by sclasen Wednesday Feb 24, 2016 at 18:51 GMT

---

prior netty art http://netty.io/4.1/api/io/netty/handler/codec/haproxy/HAProxyMessage.html

[sihil]

👍 this would be really helpful so we don't have to unreliably guess the IP from the XFF header.

[jrudolph]

@sihil how is that related to XFF?

[sihil]

We principally use AWS ELBs for routing traffic. They support the proxy protocol for passing on the user's IP address to applications behind the ELB. As an alternative they also add an X-Forwarded-For header - but it is hard to correctly identify the user IP correctly without knowing all possible addresses of ELB hosts that it can pass through.

[jrudolph]

Ah, sorry, I just didn't understand what this ticket was about. Thanks for the clarification.

[jrudolph]

Updated the original ticket with more information.

[ktoso]

Ah HA Proxy protocol, that makes sense now. Thanks for explaining, I also was wondering what was meant in the ticket title :)

[sihil]

Thanks @jrudolph.

If you have some pointers as to how to approach this or anything in akka-http that is a similar pattern then I'm open to having a bash at putting together a PR to address this. Unlikely to happen immediately due to other commitments though.

[kchaitanya1195]

Can we simply parse the haproxy line and add it to the request as a header? Something like this?

cc: @jrudolph @sihil

[nrktkt]

Support for this would be great. Right now our logs are littered with

Illegal request, responding with status '501 Not Implemented': Unsupported HTTP method: PROXY

entries, I'm not aware of a way to tell ELBs to only use XFF and not PROXY protocol (via kube at least).

[jrudolph]

I'm not aware of a way to tell ELBs to only use XFF and not PROXY protocol (via kube at least).

I've got no recent experience but it sounds unlikely that there's no way to turn it off. There are so many different HTTP backend implementations and by far not all of them support the proxy protocol.

That said, we would welcome a PR that adds the capability. @kchaitanya1195's work looks promising but I'd prefer to keep it out of the HTTP parser (because it's not related to HTTP). If it would be something more general it would also work with HTTP2 etc.

[oker1]

I'm not aware of a way to tell ELBs to only use XFF and not PROXY protocol (via kube at least).

I've got no recent experience but it sounds unlikely that there's no way to turn it off. There are so many different HTTP backend implementations and by far not all of them support the proxy protocol.

That said, we would welcome a PR that adds the capability. @kchaitanya1195's work looks promising but I'd prefer to keep it out of the HTTP parser (because it's not related to HTTP). If it would be something more general it would also work with HTTP2 etc.

@jrudolph can you provide some pointers where would you start with an implementation? I'd like to give it a try but don't want to explore the whole codebase upfront.