Proxy protocol
Preserve connection information such as the client IP address for traffic that goes through your gateway listener.
For more information, see the following resources.
If you import or export resources across workspaces, your policies might not apply. For more information, see Import and export policies.
Before you begin
This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
- Set up Gloo Mesh Gateway in a single cluster.
- Install Bookinfo and other sample apps.
- Configure an HTTP listener on your gateway and set up basic routing for the sample apps.
Configure proxy protocol policies
You can apply a proxy protocol policy at the listener level. For more information, see Applying policies.
Review the following sample configuration file.
apiVersion: trafficcontrol.policy.gloo.solo.io/v2
kind: ProxyProtocolPolicy
metadata:
annotations:
cluster.solo.io/cluster: ""
name: haproxy-policy
namespace: bookinfo
spec:
applyToListeners:
- port:
number: 443
virtualGateway:
cluster: cluster-1
name: istio-ingressgateway
namespace: bookinfo
config:
enableProxyProtocol: true
Review the following table to understand this configuration. For more information, see the API docs.
Setting | Description |
---|---|
spec.applyToListeners | The gateway listener that you want to apply this policy to. To select a gateway listener, you must reference the Gloo virtual gateway and the port number that the listener was configured for. To learn more about gateway listeners, see Listener overview. If you do not specify a valid listener, the policy takes no effect. |
spec.config.enabledProxyProtocol | To enable the proxy protocol, set to true . Now, traffic that goes through the selected listeners preserves connection information such as the client IP address. |
Verify proxy protocol policies
Send a request to the ratings app. The request succeeds, but you do not have any
PROXY TCP4
information about the originating client IP address.Example output:
* Added www.example.com:443:35.xxx.xxx.xx1 to DNS cache * Hostname www.example.com was found in DNS cache * Trying 35.xxx.xxx.xx1... * TCP_NODELAY set * Connected to www.example.com (35.xxx.xxx.xx1) port 443 (#0) * ALPN, offering h2 ...
To send the client IP address as a header in the request, you can include the
Example output:--haproxy-protocol
flag. However, you get an error because proxy protocol is not yet enabled.curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.example.com:443
Apply the proxy protocol policy to the ingress gateway in your cluster.
kubectl apply -f- <<EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: ProxyProtocolPolicy metadata: annotations: cluster.solo.io/cluster: "" name: haproxy-policy namespace: bookinfo spec: applyToListeners: - port: number: 443 virtualGateway: cluster: cluster-1 name: istio-ingressgateway namespace: bookinfo config: enableProxyProtocol: true EOF
Send the request again with the
--haproxy-protocol
flag. This time, you see thePROXY TCP4
information with the original client IP address, such as192.xxx.x.xx
in the following example.Example output:
* Added www.example.com:443:35.xxx.xxx.xx1 to DNS cache * Hostname www.example.com was found in DNS cache * Trying 35.xxx.xxx.xx1... * TCP_NODELAY set * Connected to www.example.com (35.xxx.xxx.xx1) port 443 (#0) > PROXY TCP4 192.xxx.x.xx 35.xxx.xxx.xx1 65273 443 * ALPN, offering h2
Cleanup
You can optionally remove the resources that you set up as part of this guide.
kubectl delete ProxyProtocolPolicy haproxy-policy -n bookinfo