IPv6: Received something which does not look like a PROXY protocol header

[aep]

in version 1.10.11, with dual stack enabled, https over ipv6 randomly results in connection reset

the log indicates:

IPv6: Received something which does not look like a PROXY protocol header

possibly this has something to do with both frontend https listening on :: instead of [::1] which it should to follow the thing done for ipv4

Status:       Running
IP:           10.182.80.161
IPs:
  IP:           10.182.80.161
  IP:           fdfd:b6:1::ed1
Controlled By:  DaemonSet/admin-kubernetes-ingress

Containers:
  kubernetes-ingress-controller:
    Container ID:  cri-o://aca77e6fecfec6780d97c1775394114651fcd1fb99eb03f91864690844ddcbbe
    Image:         haproxytech/kubernetes-ingress:1.10.11
    Image ID:      docker.io/haproxytech/kubernetes-ingress@sha256:592674421a83e7962aeeeaeac072732232bf53faff32b7a8086b9e13c52c6cb6
    Ports:         8080/TCP, 8443/TCP, 1024/TCP
    Host Ports:    80/TCP, 443/TCP, 1024/TCP
    Args:
      --default-ssl-certificate=ingress/admin-kubernetes-ingress-default-cert
      --configmap=ingress/admin-kubernetes-ingress
      --http-bind-port=8080
      --https-bind-port=8443
      --ingress.class=admin
      --publish-service=ingress/admin-kubernetes-ingress
      --log=debug
      --prometheus

/ # cat /etc/haproxy/haproxy.cfg 
# _version=9
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management

global
  localpeer local
  master-worker
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 36000
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
  hard-stop-after 1800000
  log stdout format raw daemon
  default-path config

defaults
  log global
  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
  option redispatch 0
  option dontlognull
  option http-keep-alive
  timeout http-request 5000
  timeout connect 5000
  timeout client 50000
  timeout queue 5000
  timeout server 50000
  timeout tunnel 3600000
  timeout http-keep-alive 60000

peers localinstance
  peer local 127.0.0.1:10000

frontend healthz
  mode http
  bind 0.0.0.0:1042 name v4
  bind :::1042 name v6 v4v6
  monitor-uri /healthz
  option dontlog-normal

frontend http
  mode http
  bind 0.0.0.0:8080 name v4
  bind :::8080 name v6
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request deny deny_status 403 if { var(txn.path_match) -m dom 9df5c5b72e74927daab429c3adaf0822 } !{ src -f /etc/haproxy/maps/whitelist-7ea526968d6dbb9fff840c8026065a2b.map }
  http-request redirect location https://%[hdr(host),field(1,:)]:443%[capture.req.uri] code 302 if { var(txn.path_match) -m dom dbe4b28f9c4404fc36a7ae76ead9a37d } 
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend ingress_default-local-service_http

frontend https
  mode http
  bind 127.0.0.1:8443 name v4 crt /etc/haproxy/certs/frontend ssl alpn h2,http/1.1 accept-proxy
  bind :::8443 name v6 crt /etc/haproxy/certs/frontend ssl v4v6 alpn h2,http/1.1 accept-proxy
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request deny deny_status 403 if { var(txn.path_match) -m dom 9df5c5b72e74927daab429c3adaf0822 } !{ src -f /etc/haproxy/maps/whitelist-7ea526968d6dbb9fff840c8026065a2b.map }
  http-request set-header X-Forwarded-Proto https
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend ingress_default-local-service_http

frontend ssl
  mode tcp
  bind 0.0.0.0:8443 name v4
  bind :::8443 name v6 v4v6
  log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs SNI: %[var(sess.sni)]'
  tcp-request content reject if !{ req_ssl_hello_type 1 }
  tcp-request inspect-delay 5000
  tcp-request content set-var(sess.sni) req_ssl_sni
  tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)
  tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)
  tcp-request content reject if { var(txn.sni_match) -m dom 9df5c5b72e74927daab429c3adaf0822 } !{ src -f /etc/haproxy/maps/whitelist-7ea526968d6dbb9fff840c8026065a2b.map }
  use_backend %[var(txn.sni_match),field(1,.)]
  default_backend ssl

frontend stats
  mode http
  bind *:1024 name stats
  bind :::1024 name v6
  stats enable
  stats uri /
  stats refresh 10s
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }

backend ssl
  mode tcp
  server https 127.0.0.1:8443 send-proxy-v2

[aep]

i believe this only happens when an ingress has ssl passthrough enabled. however, i cant figure out why. the code looks fine?

https://github.com/haproxytech/kubernetes-ingress/blob/master/pkg/handler/https.go#L69

[ivanmatmati]

Hi @aep , thanks for reporting. We'll check that.

[ivanmatmati]

Hi @aep , it's solved in the latest code which will be included in the next release. Can you test the nightly build ? You only have to replace the version/latest of the controller Docker image inside the yaml file with nightly.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.