nic-6443 commented on code in PR #13561: URL: https://github.com/apache/apisix/pull/13561#discussion_r3418100028
########## docs/en/latest/stream-proxy.md: ########## @@ -241,3 +241,39 @@ curl http://127.0.0.1:9180/apisix/admin/stream_routes/1 -H "X-API-KEY: $admin_ke By setting the `scheme` to `tls`, APISIX will do TLS handshake with the upstream. When the client is also speaking TLS over TCP, the SNI from the client will pass through to the upstream. Otherwise, a dummy SNI `apisix_backend` will be used. + +## PROXY protocol + +APISIX can accept the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) on TCP stream ports and forward it to the upstream. + +The `apisix.proxy_protocol` options set the default for **all** TCP stream ports: + +```yaml +apisix: + proxy_protocol: + enable_tcp_pp: true # accept the PROXY protocol from the client + enable_tcp_pp_to_upstream: true # send the PROXY protocol to the upstream + proxy_mode: http&stream + stream_proxy: + tcp: + - 9100 + - 9101 +``` + +To control the PROXY protocol per port, set `proxy_protocol` and/or `proxy_protocol_to_upstream` on a `stream_proxy.tcp` entry. The per-port value overrides the global default for that port: + +```yaml +apisix: + proxy_protocol: + enable_tcp_pp: true # default for ports that don't set `proxy_protocol` + proxy_mode: http&stream + stream_proxy: + tcp: + - addr: 9100 # accepts the PROXY protocol (inherits the global default) + - addr: 9101 + proxy_protocol: false # opt this port out of accepting the PROXY protocol + - addr: 9102 + proxy_protocol_to_upstream: true # also send the PROXY protocol to the upstream +``` + +The accept side (`proxy_protocol`) is a per-listen directive, so ports with different settings can share one listener. The upstream side (`proxy_protocol_to_upstream`) is a server-level directive, so APISIX renders ports that send the PROXY protocol upstream into a separate `server` block. Review Comment: Good catch — added a sentence to both the English and Chinese docs noting that UDP listens never send the PROXY protocol upstream and always stay in the plain `server` block. Done in f0c4e71. ########## docs/zh/latest/stream-proxy.md: ########## @@ -232,3 +232,39 @@ curl http://127.0.0.1:9180/apisix/admin/stream_routes/1 -H "X-API-KEY: $admin_ke 通过设置 `scheme` 为 `tls`,APISIX 将与上游进行 TLS 握手。 当客户端也使用基于 TCP 的 TLS 上游时,客户端发送的 SNI 将传递给上游。否则,将使用一个假的 SNI `apisix_backend`。 + +## PROXY 协议 + +APISIX 可以在 TCP stream 端口上接收 [PROXY 协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),并将其转发给上游。 + +`apisix.proxy_protocol` 选项为**所有** TCP stream 端口设置默认值: + +```yaml +apisix: + proxy_protocol: + enable_tcp_pp: true # 接收来自客户端的 PROXY 协议 + enable_tcp_pp_to_upstream: true # 向上游发送 PROXY 协议 + proxy_mode: http&stream + stream_proxy: + tcp: + - 9100 + - 9101 +``` + +如需按端口控制 PROXY 协议,可在 `stream_proxy.tcp` 条目上设置 `proxy_protocol` 和/或 `proxy_protocol_to_upstream`。端口级别的设置会覆盖该端口的全局默认值: + +```yaml +apisix: + proxy_protocol: + enable_tcp_pp: true # 未设置 `proxy_protocol` 的端口的默认值 + proxy_mode: http&stream + stream_proxy: + tcp: + - addr: 9100 # 接收 PROXY 协议(继承全局默认值) + - addr: 9101 + proxy_protocol: false # 该端口不接收 PROXY 协议 + - addr: 9102 + proxy_protocol_to_upstream: true # 该端口同时向上游发送 PROXY 协议 +``` + +接收侧(`proxy_protocol`)是 listen 级别的指令,因此设置不同的端口可以共用一个监听块。上游侧(`proxy_protocol_to_upstream`)是 server 级别的指令,因此 APISIX 会把向上游发送 PROXY 协议的端口渲染到单独的 `server` 块中。 Review Comment: Good catch — added a sentence to both the English and Chinese docs noting that UDP listens never send the PROXY protocol upstream and always stay in the plain `server` block. Done in f0c4e71. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
