[
https://issues.apache.org/jira/browse/ARTEMIS-3915?focusedWorklogId=982803&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-982803
]
ASF GitHub Bot logged work on ARTEMIS-3915:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 11/Sep/25 16:11
Start Date: 11/Sep/25 16:11
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #5908:
URL: https://github.com/apache/activemq-artemis/pull/5908#discussion_r2341226363
##########
docs/user-manual/proxy-protocol.adoc:
##########
@@ -0,0 +1,59 @@
+= PROXY Protocol
+:idprefix:
+:idseparator: -
+:docinfo: shared
+
+As noted in the official
https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt[PROXY
Protocol documentation]:
+
+[quote,]
+____
+The PROXY protocol provides a convenient way to safely transport connection
information such as a client's address across multiple layers of NAT or TCP
proxies.
+____
+
+This essentially allows the broker to know a client's IP address even when the
connection is established through reverse proxy that supports the PROXY
protocol (e.g. HAProxy, nginx, etc.).
+Without PROXY protocol support the broker would see such client connections as
coming from the proxy itself which can be misleading for administrators and
complicate trouble-shooting.
+
+Both versions 1 & 2 of the PROXY Protocol are supported.
+
+Any of our supported messaging protocols can be used in combination with the
PROXY protocol with or without TLS.
+
+== Configuration
+
+Support for the PROXY Protocol is configured on a per-acceptor basis using the
`proxyProtocolEnabled` parameter, e.g.:
+
+[,xml]
+----
+<acceptor
name="proxy-artemis">tcp://0.0.0.0:61616?proxyProtocolEnabled=true</acceptor>
+----
+
+[NOTE]
+.Why can't PROXY Protocol detection be automatic?
+====
+Support for the PROXY Protocol must be explicitly configured due to security
reasons.
+As noted in the official
https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt[PROXY
Protocol documentation]:
+
+[quote,]
+____
+The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not.
+This means that the protocol explicitly prevents port sharing between public
and private access.
+Otherwise it would open a major security breach by allowing untrusted parties
to spoof their connection addresses.
+The receiver SHOULD ensure proper access filtering so that only trusted
proxies are allowed to use this protocol.
Review Comment:
Possibly worth adding something to the sentence below stressing the last
element too when enabling it?
Issue Time Tracking
-------------------
Worklog Id: (was: 982803)
Time Spent: 7h 20m (was: 7h 10m)
> Support PROXY Protocol
> ----------------------
>
> Key: ARTEMIS-3915
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3915
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: Broker
> Reporter: João Santos
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 7h 20m
> Remaining Estimate: 0h
>
> [HAProxy|http://www.haproxy.org/] is a widely known and used TCP Load
> Balancer and especially useful for an ActiveMQ Artemis clustered environment.
> Although possible to functionally implement with both products current
> features, Artemis does not support the PROXY protocol, which prevents it's
> broker nodes from inferring the real remote client IP address when behind an
> HAProxy instance.
> Since Netty sockets implementation already seems to support this protocol
> (discussed w/ [~jbertram] on DEV mailing list), it shouldn't be a big leap to
> adding support for the protocol on Artemis acceptors, thus improving the
> deployment of the use case at hand.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
