cloudflared
cloudflared copied to clipboard
cloudflare
Add support for haproxy proxy protocol
Currently all ssh connections are from from localhost, and the original client address is not available to sshd.
The HAProxy proxy protocol allows the client address to be preserved for non-http connections like ssh.
tunnel origin request configuration should have an option to send a proxy header at the start of the connection. This would allow client address to be restored via mmproxy.
Note this is already supported by spectrum (https://developers.cloudflare.com/spectrum/proxy-protocol).
proxy protocol would also be needed for pointing cloudflared at an ingress controller that expects a proxy protocol header.
we have the following setup in aws:
nlb(proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=false) -> ingress-nginx(use-proxy-protocol: "true")
we would like to have this setup:
cloudflare(argo_tunnel) -> cloudflared
|
v
nlb(proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=false) -> ingress-nginx(use-proxy-protocol: "true")
however, that would imply that cloudflared must "speak" proxy protocol.
an alternative would be to deploy another ingress controller that doesn't require a proxy protocol header. but we'd like to avoid that if possible.
This would be an amazing addition, very clearly needed for certain scenarios!
This is not only an issue with haproxy. Currently k8s nginx-ingresses behind cloudflared are unable to display real user IP.
Creating nginx-ingress like:
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--set controller.config.use-proxy-protocol=true \
--namespace ingress-nginx --create-namespace
and pointing cloudflared instances to it simply doesn't work.
Adding proxy protocol would enable filtering of source IPs. Please consider bumping this to the top of the priority list.
