-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy Protocol Support for SSL Passthrough #2003
Comments
@maennchen I think this is supported as you can see here |
@jhorwit2 Is there an annotation to enable it? |
I know that it is possible for TCP services, but I don't think that it's currently possible for SSL Passthrough. |
It's currently hardcoded to False for SSL Passthrough objects
So it's not available via annotations. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
This is still not working, it should not be closed. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@maennchen The upstream service is accepting Proxy Protocol, or you need ingress to accept proxy protocol into it listener? |
@rikatz I need the Proxy Protocol between the nginx and the endpoint in the docker pod if the nginx is not terminating TLS. Otherwise it‘s impossible to find out the remote ip of a request when using tls passthrough. |
Hey @maennchen did you find a solution for that issue? |
@thylong Nope, sorry. |
This is a critical issue for e-commerce platforms running Kubernetes as we need to keep track of the remote IP. If we want to support HTTP/2 on AWS we have to use SSL passthrough combined to proxy protocol. |
Looks like our redemption is here @maennchen : #2380 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Is there anything that can be done to help this get merged? |
Hi, People expressed the need to have proxy protocol headers passed to the backend servers, but I'd like to mention that there are also use cases where one would need NGINX to handle proxy protocol headers comming from the load balancer to record the client IP in its log, and pass the “deencapsulated” connection to the backend server (which may not be able to handle proxy protocol). |
@maennchen @Constantin07 @yann-soubeyrand @strigazi if you want to see this feature, we would be happy to see one of you follow up on #4770 to complete the work of @dm3ch |
/priority important-soon |
@iamNoah1: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/triage accepted |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
This issue is labeled with You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@maennchen I'm closing this on favor of #9448 where we are going to reimplement the SSL Passthrough. If you can, please let us know your thoughts o that. Thanks! |
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature Request
NGINX Ingress controller version:
0.10.2
Kubernetes version (use
kubectl version
):Environment:
What happened:
I'm using SSL Passthrough to one of my services. I need to read the Remote IP.
I expected to get successful connections using the Proxy Protocol, got a normal TLS connection instead.
What you expected to happen:
I expected to get successful connections using the Proxy Protocol, got a normal TLS connection instead.
How to reproduce it (as minimally and precisely as possible):
I created a Test Service that requires the usage of the Proxy Protocol:
https://gist.github.com/maennchen/ebca3d8ce27694055db6723a1033143e
Anything else we need to know:
The text was updated successfully, but these errors were encountered: