Proxy Protocol fo TCP mode (L4xNAT)

[kladiv]

Hello, does Zevenet CE support Proxy Protocol (v2) for TCP mode (L4xNAT - SNAT) ? During our tests it seems not. This feature is quite important in the case of a ZLB in front of a Kubernetes on-premise cluster (with NodePorts services exposing SSL/HTTPS traffic). Any ETA?

We tested https profile but our SSL are managed by Kubernetes service itself (cert-manager + Ingress). But ZLB https profile requires SSL for configuration, so no applicable.

Thank you

Best, Claudio

[cano-devel]

Hello,

Reading your issue, I deduce you need the client connection information in your Kubernetes cluster. Using the L4xNAT profile with SNAT mode, you should get the client IP in the Kubernetes ingress. Remember that the load balancer has to be configured as Kubernetes gateway in order to forward the response to the clients.

If you need further assistance configuring it, you can write in the ZEVENET community list.

As you mentioned, the HTTP profile requires the certificates to work with SSL, but this profile does not add the proxy protocol (v2) headers at the moment. Instead, you could get the client IP from the "X-Forwarded-For" header.

Best regards

[cano-devel]

Sorry, I had a mistake in my previous commentary. You should use the mode DNAT in the L4xNAT profile.

[kladiv]

Hi @alvarocano-zevenet , DNAT is not applicable 'cause Kubernetes cluster default gateway (nodes default gateway) cannot be changed.

Are you able to add ProxyProtocol to TCP Mode (via L4xNAT) or it requires a refactor of TCP Mode method?

Thank you

Best, Claudio

[cano-devel]

Hi,

The L4xNAT profile manages only connection information, it is not possible to modify the application data with it because the kernel manages the packets in this profile.

I recommend you to test with the HTTP profile for your environment. You only have to configure an HTTPS farm and adding it the SSL certificates.

Regards