Proxy Protocol Support for SSL Passthrough

[maennchen]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature Request

NGINX Ingress controller version: 0.10.2

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-11-20T05:28:34Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"7+", GitVersion:"v1.7.11-gke.1", GitCommit:"3500f53730c1fea7b57901977df165c3eb317bce", GitTreeState:"clean", BuildDate:"2017-12-08T18:05:07Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: Google Cloud Platform Kubernetes Engine
• OS (e.g. from /etc/os-release): Container-Optimized OS from Google

What happened:

I'm using SSL Passthrough to one of my services. I need to read the Remote IP.

I expected to get successful connections using the Proxy Protocol, got a normal TLS connection instead.

What you expected to happen:

I expected to get successful connections using the Proxy Protocol, got a normal TLS connection instead.

How to reproduce it (as minimally and precisely as possible):

I created a Test Service that requires the usage of the Proxy Protocol:

https://gist.github.com/maennchen/ebca3d8ce27694055db6723a1033143e

Anything else we need to know:

[jhorwit2]

@maennchen I think this is supported as you can see here

[maennchen]

@jhorwit2 Is there an annotation to enable it?

[maennchen]

I know that it is possible for TCP services, but I don't think that it's currently possible for SSL Passthrough.

[Spindel]

It's currently hardcoded to False for SSL Passthrough objects

internal/ingress/controller/nginx.go

                    //TODO: Allow PassthroughBackends to specify they support proxy-protocol
                    servers = append(servers, &TCPServer{
                            Hostname:      pb.Hostname,
                            IP:            svc.Spec.ClusterIP,
                            Port:          port,
                            ProxyProtocol: false,
                    })

So it's not available via annotations.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[maennchen]

This is still not working, it should not be closed.

[maennchen]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[maennchen]

/remove-lifecycle stale

[rikatz]

@maennchen The upstream service is accepting Proxy Protocol, or you need ingress to accept proxy protocol into it listener?

[maennchen]

@rikatz I need the Proxy Protocol between the nginx and the endpoint in the docker pod if the nginx is not terminating TLS. Otherwise it‘s impossible to find out the remote ip of a request when using tls passthrough.

[thylong]

Hey @maennchen did you find a solution for that issue?

[maennchen]

@thylong Nope, sorry.

[thylong]

This is a critical issue for e-commerce platforms running Kubernetes as we need to keep track of the remote IP.

If we want to support HTTP/2 on AWS we have to use SSL passthrough combined to proxy protocol.
We are tempted to fork until this feature comes out

[thylong]

Looks like our redemption is here @maennchen : #2380

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[maennchen]

/remove-lifecycle stale

[missinglink]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[frittentheke]

/remove-lifecycle stale

[missinglink]

Is there anything that can be done to help this get merged?

[yann-soubeyrand]

Hi,

People expressed the need to have proxy protocol headers passed to the backend servers, but I'd like to mention that there are also use cases where one would need NGINX to handle proxy protocol headers comming from the load balancer to record the client IP in its log, and pass the “deencapsulated” connection to the backend server (which may not be able to handle proxy protocol).

[iamNoah1]

@maennchen @Constantin07 @yann-soubeyrand @strigazi if you want to see this feature, we would be happy to see one of you follow up on #4770 to complete the work of @dm3ch

[iamNoah1]

/priority important-soon
/help

[k8s-ci-robot]

@iamNoah1:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/priority important-soon
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Constantin07]

/remove-lifecycle stale

[iamNoah1]

/triage accepted

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Constantin07]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[Constantin07]

/remove-lifecycle rotten

[k8s-triage-robot]

This issue is labeled with priority/important-soon but has not been updated in over 90 days, and should be re-triaged.
Important-soon issues must be staffed and worked on either currently, or very soon, ideally in time for the next release.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Deprioritize it with /priority important-longterm or /priority backlog
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

@maennchen I'm closing this on favor of #9448 where we are going to reimplement the SSL Passthrough.

If you can, please let us know your thoughts o that.

Thanks!
/close

[k8s-ci-robot]

@rikatz: Closing this issue.

In response to this:

@maennchen I'm closing this on favor of #9448 where we are going to reimplement the SSL Passthrough.

If you can, please let us know your thoughts o that.

Thanks!
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.