Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable PROXY protocol for specific CIDRs in HAProxy #711

Merged
merged 33 commits into from
Oct 2, 2024
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
624d8bb
Add property and validation
Dariquest Sep 9, 2024
a3e0658
Property spec description
Dariquest Sep 9, 2024
2cf95e1
Adjust haproxy config to read the cidr list from a file
Dariquest Sep 9, 2024
5f02a92
Correct file name to be conform with other lists
Dariquest Sep 9, 2024
7529ab6
Correct desc and default value
Dariquest Sep 9, 2024
352f0c2
Correct desc and default value
Dariquest Sep 9, 2024
8e6b8cc
Spec and templates
Dariquest Sep 9, 2024
36ab94c
Spec extension
Dariquest Sep 10, 2024
fb72417
IPv6 addresses from the doc space
Dariquest Sep 10, 2024
a8f1e90
IPv6 addresses from the doc space
Dariquest Sep 10, 2024
ae21bf9
Property validation
Dariquest Sep 10, 2024
0620360
unit test for proxies_cidr.txt.erb
Mrizwanshaik Sep 10, 2024
a265106
First acceptance test & remove the AWS IPs
Dariquest Sep 10, 2024
88aed5b
frontend tests
Dariquest Sep 11, 2024
fc656e1
implement ruby spec tests
Mrizwanshaik Sep 12, 2024
f283e58
implement ruby spec tests
Dariquest Sep 13, 2024
3a3c165
implement ruby spec tests
Dariquest Sep 13, 2024
6c92038
implement ruby spec tests
Dariquest Sep 13, 2024
9c1df9f
add acceptance test for expect_proxy protocol
Mrizwanshaik Sep 20, 2024
5cddacc
fix: proxy_protocol_test.go
a18e Sep 24, 2024
75c4f38
Unnecessary changes
Dariquest Sep 24, 2024
9116297
Revert unnecessary changes
Dariquest Sep 24, 2024
160c7de
Add new line
Dariquest Sep 24, 2024
0592c43
fix linter errors
a18e Sep 25, 2024
ffa1156
improve test comments
a18e Sep 25, 2024
cef5323
Rename expect_proxy to expect_proxy_cidrs
Dariquest Sep 25, 2024
c09f269
Rename expect_proxy to expect_proxy_cidrs
Dariquest Sep 25, 2024
e9658d9
Rename expect_proxy to expect_proxy_cidrs
Dariquest Sep 25, 2024
a373c25
fix: expect proxy protocol also for health check
a18e Sep 25, 2024
26ac7ad
fix: indentation
a18e Sep 27, 2024
4906e2d
Changed the unit test to change expectation
Dariquest Oct 1, 2024
ce6929c
One more unit test and correct config
Dariquest Oct 1, 2024
b30b5a1
Extend spec description
Dariquest Oct 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions jobs/haproxy/spec
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ templates:
client-revocation-list.erb: config/client-revocation-list.pem
blacklist_cidrs.txt.erb: config/blacklist_cidrs.txt
whitelist_cidrs.txt.erb: config/whitelist_cidrs.txt
proxies_cidrs.txt.erb: config/proxies_cidrs.txt
trusted_domain_cidrs.txt.erb: config/trusted_domain_cidrs.txt

consumes:
Expand Down Expand Up @@ -553,6 +554,9 @@ properties:
ha_proxy.accept_proxy:
description: "Turned off by default. Enforces the use of the PROXY protocol for all incoming connections to all frontends, with the exception of local requests to the health check endpoint, since Monit does not support PROXY protocol. When enabled, standard TCP connections to these ports no longer work."
default: false
ha_proxy.expect_proxy:
description: "Enables proxy protocol for the specified list of CIDR ranges. Only applies if `ha_proxy.accept_proxy` is disabled."
default: ""
Dariquest marked this conversation as resolved.
Show resolved Hide resolved
ha_proxy.disable_tcp_accept_proxy:
description: "Disables the PROXY protocol on tcp backends. Only applies if `ha_proxy.accept_proxy` is enabled."
default: false
Expand Down Expand Up @@ -580,6 +584,13 @@ properties:
cidr_whitelist:
- 172.168.4.1/32
- 10.2.0.0/16
ha_proxy.cidr_proxies:
Dariquest marked this conversation as resolved.
Show resolved Hide resolved
description: "List of CIDRs to enable proxy protocol for. This enables forwarding of the client source IP for hyperscalers not supporting IP dual stack (v4 & v6)"
default: ~
example:
cidr_proxies:
- 10.0.1.32/27
- 2600:1f18:4c0b:3207::/64
ha_proxy.block_all:
description: "Optionally block all incoming traffic to http(s). Use in conjunction with whitelist."
default: false
Expand Down
12 changes: 12 additions & 0 deletions jobs/haproxy/templates/haproxy.config.erb
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,9 @@ end
# }}}

# Error checking
if !p("ha_proxy.accept_proxy", true) && p("ha_proxy.expect_proxy", true)
Dariquest marked this conversation as resolved.
Show resolved Hide resolved
abort "Conflicting configuration: accept_proxy and expect_proxy are mutually exclusive"
end
if !p("ha_proxy.drain_enable", false) && p("ha_proxy.drain_frontend_grace_time") > 0
abort "Conflicting configuration: drain_enable must be true to use drain_frontend_grace_time"
end
Expand Down Expand Up @@ -366,6 +369,15 @@ listen health_check_http_url
monitor fail if http-routers_down
<% end -%>

<%- if_p("ha_proxy.expect_proxy") do -%>
acl proxies src -f /var/vcap/jobs/haproxy/config/proxies_cidrs.txt
tcp-request content accept if proxies
<%- end -%>

<% if p("ha_proxy.expect_proxy") -%>
tcp-request connection expect-proxy layer4 if { src -f /var/vcap/jobs/haproxy/config/proxies_cidrs.txt }
<%- end -%>

<% if_p("ha_proxy.resolvers") do |resolvers| -%>
resolvers default
hold valid <%= p("ha_proxy.dns_hold") %>
Expand Down
21 changes: 21 additions & 0 deletions jobs/haproxy/templates/proxies_cidrs.txt.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# generated from proxies_cidrs.txt.erb
<%
require "base64"
peanball marked this conversation as resolved.
Show resolved Hide resolved
require 'zlib'
require 'stringio'

if_p("ha_proxy.expect_proxy") do |cidrs|
uncompressed = ''
if cidrs.is_a?(Array)
uncompressed << "\# detected cidrs provided as array in cleartext format\n"
cidrs.each do |cidr|
uncompressed << cidr << "\n"
end
end
%>
# BEGIN proxies cidrs
<%= uncompressed %>
# END proxies cidrs
<%
end
%>
52 changes: 52 additions & 0 deletions spec/haproxy/templates/proxies_cidrs.txt_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# frozen_string_literal: true

require 'rspec'

describe 'config/proxies_cidrs.txt' do
let(:template) { haproxy_job.template('config/proxies_cidrs.txt') }

describe 'ha_proxy.proxies_cidrs' do
context 'when a space-separated list of cidrs is provided' do
it 'has the correct contents' do
expect(template.render({
'ha_proxy' => {
'proxies_cidrs' => '10.0.1.32/27
2600:1f18:4c0b:3207::/64
}
})).to eq(<<~EXPECTED)
# generated from proxies_cidrs.txt.erb

# BEGIN proxies cidrs
10.0.1.32/27
2600:1f18:4c0b:3207::/64
# END proxies cidrs

EXPECTED
end
end

context 'when a newline-separated, gzipped, base64-encoded list of cidrs is provided' do
it 'has the correct contents' do
expect(template.render({
'ha_proxy' => {
'proxies_cidrs' => gzip_and_b64_encode("10.0.1.32/27\n2600:1f18:4c0b:3207::/64")
}
})).to eq(<<~EXPECTED)
# generated from proxies_cidrs.txt.erb

# BEGIN proxies cidrs
10.0.1.32/27
2600:1f18:4c0b:3207::/64
Dariquest marked this conversation as resolved.
Show resolved Hide resolved
# END proxies cidrs

EXPECTED
end
end

context 'when ha_proxy.proxies_cidrs is not provided' do
it 'is empty' do
expect(template.render({})).to be_a_blank_string
end
end
end
end