Support for HTTPS over PROXYv2 protocol (!278) · Merge requests · GitLab.org / gitlab-pages

Igor requested to merge proxyv2 into master May 04, 2020

This patch adds PROXYv2 protocol support. This allows us to propagate the original client IP address through HAProxy's TCP proxy. That gives us source IP addresses in our logs, which allows us to properly diagnose shifts in traffic.

See #180 (closed) for more details.

Sample HAProxy config:

global
    log stdout  format raw  local0  info

defaults
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    log global
    option tcplog

frontend fe
    bind 127.0.0.1:12340
    mode tcp
    default_backend be

backend be
    mode tcp
    server app1 127.0.0.1:1234 send-proxy-v2

Start HAProxy with:

$ haproxy -f haproxy.cfg

Generating certs for localhost: https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb26656c4f8.

Sample server invocation:

$ ./gitlab-pages -log-format=json -listen-https-proxyv2=127.0.0.1:1234 -root-cert=$(pwd)/localhost.crt -root-key=$(pwd)/localhost.key

Sample client invocation:

$ curl -v https://localhost:12340/ --cacert ~/code/gitlab-pages/RootCA.crt

refs https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11902

Edited Nov 18, 2020 by Igor

Support for HTTPS over PROXYv2 protocol

Merge request reports