For more information, see the following resources.

Before you begin

  1. Set up Gloo Mesh Gateway in a single cluster.
  2. Install Bookinfo and other sample apps.
  3. Configure an HTTP listener on your gateway and set up basic routing for the sample apps.

Configure proxy protocol policies

You can apply a proxy protocol policy at the listener level. For more information, see Applying policies.

Review the following sample configuration file.

  apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: ProxyProtocolPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: haproxy-policy
  namespace: bookinfo
spec:
  applyToListeners:
  - port:
      number: 443
    virtualGateway:
      cluster: cluster-1
      name: istio-ingressgateway
      namespace: bookinfo
  config:
    enableProxyProtocol: true
  

Review the following table to understand this configuration. For more information, see the API docs.

SettingDescription
spec.applyToListenersThe gateway listener that you want to apply this policy to. To select a gateway listener, you must reference the Gloo virtual gateway and the port number that the listener was configured for. To learn more about gateway listeners, see Listener overview. If you do not specify a valid listener, the policy takes no effect.
spec.config.enabledProxyProtocolTo enable the proxy protocol, set to true. Now, traffic that goes through the selected listeners preserves connection information such as the client IP address.

Verify proxy protocol policies

  1. Send a request to the ratings app. The request succeeds, but you do not have any PROXY TCP4 information about the originating client IP address.

    Example output:

      * Added www.example.com:443:35.xxx.xxx.xx1 to DNS cache
    * Hostname www.example.com was found in DNS cache
    *   Trying 35.xxx.xxx.xx1...
    * TCP_NODELAY set
    * Connected to www.example.com (35.xxx.xxx.xx1) port 443 (#0)
    * ALPN, offering h2
    ...
      
  2. To send the client IP address as a header in the request, you can include the --haproxy-protocol flag. However, you get an error because proxy protocol is not yet enabled.

    Example output:

      curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.example.com:443 
      
  3. Apply the proxy protocol policy to the ingress gateway in your cluster.

      kubectl apply -f- <<EOF
    apiVersion: trafficcontrol.policy.gloo.solo.io/v2
    kind: ProxyProtocolPolicy
    metadata:
      annotations:
        cluster.solo.io/cluster: ""
      name: haproxy-policy
      namespace: bookinfo
    spec:
      applyToListeners:
      - port:
          number: 443
        virtualGateway:
          cluster: cluster-1
          name: istio-ingressgateway
          namespace: bookinfo
      config:
        enableProxyProtocol: true
    EOF
      
  4. Send the request again with the --haproxy-protocol flag. This time, you see the PROXY TCP4 information with the original client IP address, such as 192.xxx.x.xx in the following example.

    Example output:

    * Added www.example.com:443:35.xxx.xxx.xx1 to DNS cache
    * Hostname www.example.com was found in DNS cache
    *   Trying 35.xxx.xxx.xx1...
    * TCP_NODELAY set
    * Connected to www.example.com (35.xxx.xxx.xx1) port 443 (#0)
    > PROXY TCP4 192.xxx.x.xx 35.xxx.xxx.xx1 65273 443
    * ALPN, offering h2

Cleanup

You can optionally remove the resources that you set up as part of this guide.
  kubectl delete ProxyProtocolPolicy haproxy-policy -n bookinfo