Re: RE: haproxy tcp mode source ip
Hi:
This method gets the string after send_netns, rather than getting the
user's IP address,thank you.
mingbei...@baifendian.com
徐铭贝
数据仓库助理工程师 平台业务部
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIFENDIAN.COM - Big Data Practitioner
北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层
From: Tom Maher
Date: 2018-02-26 20:07
To: mingbei...@baifendian.com; Aaron West
CC: Wang Bin; haproxy
Subject: RE: Re: haproxy tcp mode source ip
We had a similar requirement. We developed a patch (on 1.8.3) that allows the
Proxy Protocol TLV PP2_TYPE_NETNS to be configured as part of a bind with a
“send_netns ”, e.g.:
frontend cfe
bind 192.168.1.20:3128 send_netns 1
mode tcp
See below an example capture of the Proxy Protocol v2 with PP2_TYPE_NETSN set
using send_netns 1:
We decided to re-use PP2_TYPE_NETNS as it served our purpose reasonable well
noting that is a string.
Below is the 1.8.3 patch. If there is general interest, happy to create a patch
according to guidelines in “HOW TO GET YOUR CODE ACCEPTED IN HAPROXY” and
submit to the maintainers.
+++ connection.h2018-01-12 12:35:38.0 +
@@ -388,6 +388,7 @@
int (*xprt_done_cb)(struct connection *conn); /* callback to notify of
end of handshake */
void (*destroy_cb)(struct connection *conn); /* callback to notify of
imminent death of the connection */
const struct netns_entry *proxy_netns;
+ char *send_netns; /* copied from listen */
struct {
struct sockaddr_storage from; /* client address, or address
to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the
client, or address to connect to */
--- ../../../haproxy-1.8.3/include/types/listener.h 2017-12-30
17:13:19.0 +
+++ listener.h 2018-01-12 12:27:22.0 +
@@ -206,6 +206,7 @@
__decl_hathreads(HA_SPINLOCK_T lock);
const struct netns_entry *netns; /* network namespace of the listener*/
+ char *send_netns; /* value for PP2_TYPE_NETNS */
struct list by_fe; /* chaining in frontend's list of
listeners */
struct list by_bind;/* chaining in bind_conf's list of
listeners */
--- ../../haproxy-1.8.3/src/connection.c 2017-12-30 17:13:19.0
+
+++ connection.c2018-01-12 12:58:38.0 +
@@ -1083,6 +1083,11 @@
ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS,
remote->proxy_netns->name_len, remote->proxy_netns->node.key);
}
#endif
+ if (remote && (remote->send_netns)) {
+ if ((buf_len - ret) < sizeof(struct tlv))
+ return 0;
+ ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS,
strlen(remote->send_netns), remote->send_netns);
+ }
hdr->len = htons((uint16_t)(ret - PP2_HEADER_LEN));
--- ../../haproxy-1.8.3-casquette/src/proto_tcp.c 2017-12-30
17:13:19.0 +
+++ proto_tcp.c 2018-01-12 12:31:29.0 +
@@ -1906,6 +1906,24 @@
}
#endif
+/* parse the "send_netns" bind keyword */
+static int bind_parse_send_netns(char **args, int cur_arg, struct proxy *px,
struct bind_conf *conf, char **err)
+{
+ struct listener *l;
+ char *netns = NULL;
+
+ if (!*args[cur_arg + 1]) {
+ memprintf(err, "'%s' : missing namespace id", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ netns = args[cur_arg + 1];
+
+ list_for_each_entry(l, &conf->listeners, by_bind) {
+ l->send_netns = strdup(netns);
+ }
+ return 0;
+}
+
#ifdef TCP_USER_TIMEOUT
/* parse the "tcp-ut" server keyword */
static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct
server *newsrv, char **err)
@@ -1996,6 +2014,7 @@
#ifdef CONFIG_HAP_NS
{ "namespace", bind_parse_namespace,1 },
#endif
+ { "send_netns",bind_parse_send_netns, 1 }, /* PP2_TYPE_NETNS */
/* the versions with the NULL parse function*/
{ "defer-accept", NULL, 0 },
{ "interface", NULL, 1 },
--- ../../haproxy-1.8.3/src/session.c 2017-12-30 17:13:19.0 +
+++ session.c 2018-01-12 12:35:42.0 +
@@ -141,6 +141,7 @@
cli_conn->flags |= CO_FL_ADDR_FROM_SET;
cli_conn->target = &l->obj_type;
cli_conn->proxy_netns = l->netns;
+ cli_conn->send_netns = l->send_netns;
conn_ctrl_init(cli_conn);
--- ../../../haproxy-1.8.3/include/types/connection.h 2017-12-30
17:13:19.0 +
Regards,
Tom
From: mingbei...@baifendian.com
Sent: 26 February 2018 11:50
To: Aaron West
Cc: Wang Bin ; haproxy
Subject: Re: Re: haproxy tcp mode source ip
Hi:
Thank you. Is this method
Re: RE: haproxy tcp mode source ip
Hi:
Thank you very much. I'm trying.
mingbei...@baifendian.com
徐铭贝
数据仓库助理工程师 平台业务部
Mobile: +86-15801118167
E-mail:mingbei...@baifendian.com
BAIFENDIAN.COM - Big Data Practitioner
北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层
From: Tom Maher
Date: 2018-02-26 20:07
To: mingbei...@baifendian.com; Aaron West
CC: Wang Bin; haproxy
Subject: RE: Re: haproxy tcp mode source ip
We had a similar requirement. We developed a patch (on 1.8.3) that allows the
Proxy Protocol TLV PP2_TYPE_NETNS to be configured as part of a bind with a
“send_netns ”, e.g.:
frontend cfe
bind 192.168.1.20:3128 send_netns 1
mode tcp
See below an example capture of the Proxy Protocol v2 with PP2_TYPE_NETSN set
using send_netns 1:
We decided to re-use PP2_TYPE_NETNS as it served our purpose reasonable well
noting that is a string.
Below is the 1.8.3 patch. If there is general interest, happy to create a patch
according to guidelines in “HOW TO GET YOUR CODE ACCEPTED IN HAPROXY” and
submit to the maintainers.
+++ connection.h2018-01-12 12:35:38.0 +
@@ -388,6 +388,7 @@
int (*xprt_done_cb)(struct connection *conn); /* callback to notify of
end of handshake */
void (*destroy_cb)(struct connection *conn); /* callback to notify of
imminent death of the connection */
const struct netns_entry *proxy_netns;
+ char *send_netns; /* copied from listen */
struct {
struct sockaddr_storage from; /* client address, or address
to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the
client, or address to connect to */
--- ../../../haproxy-1.8.3/include/types/listener.h 2017-12-30
17:13:19.0 +
+++ listener.h 2018-01-12 12:27:22.0 +
@@ -206,6 +206,7 @@
__decl_hathreads(HA_SPINLOCK_T lock);
const struct netns_entry *netns; /* network namespace of the listener*/
+ char *send_netns; /* value for PP2_TYPE_NETNS */
struct list by_fe; /* chaining in frontend's list of
listeners */
struct list by_bind;/* chaining in bind_conf's list of
listeners */
--- ../../haproxy-1.8.3/src/connection.c 2017-12-30 17:13:19.0
+
+++ connection.c2018-01-12 12:58:38.0 +
@@ -1083,6 +1083,11 @@
ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS,
remote->proxy_netns->name_len, remote->proxy_netns->node.key);
}
#endif
+ if (remote && (remote->send_netns)) {
+ if ((buf_len - ret) < sizeof(struct tlv))
+ return 0;
+ ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS,
strlen(remote->send_netns), remote->send_netns);
+ }
hdr->len = htons((uint16_t)(ret - PP2_HEADER_LEN));
--- ../../haproxy-1.8.3-casquette/src/proto_tcp.c 2017-12-30
17:13:19.0 +
+++ proto_tcp.c 2018-01-12 12:31:29.0 +
@@ -1906,6 +1906,24 @@
}
#endif
+/* parse the "send_netns" bind keyword */
+static int bind_parse_send_netns(char **args, int cur_arg, struct proxy *px,
struct bind_conf *conf, char **err)
+{
+ struct listener *l;
+ char *netns = NULL;
+
+ if (!*args[cur_arg + 1]) {
+ memprintf(err, "'%s' : missing namespace id", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ netns = args[cur_arg + 1];
+
+ list_for_each_entry(l, &conf->listeners, by_bind) {
+ l->send_netns = strdup(netns);
+ }
+ return 0;
+}
+
#ifdef TCP_USER_TIMEOUT
/* parse the "tcp-ut" server keyword */
static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct
server *newsrv, char **err)
@@ -1996,6 +2014,7 @@
#ifdef CONFIG_HAP_NS
{ "namespace", bind_parse_namespace,1 },
#endif
+ { "send_netns",bind_parse_send_netns, 1 }, /* PP2_TYPE_NETNS */
/* the versions with the NULL parse function*/
{ "defer-accept", NULL, 0 },
{ "interface", NULL, 1 },
--- ../../haproxy-1.8.3/src/session.c 2017-12-30 17:13:19.0 +
+++ session.c 2018-01-12 12:35:42.0 +
@@ -141,6 +141,7 @@
cli_conn->flags |= CO_FL_ADDR_FROM_SET;
cli_conn->target = &l->obj_type;
cli_conn->proxy_netns = l->netns;
+ cli_conn->send_netns = l->send_netns;
conn_ctrl_init(cli_conn);
--- ../../../haproxy-1.8.3/include/types/connection.h 2017-12-30
17:13:19.0 +
Regards,
Tom
From: mingbei...@baifendian.com
Sent: 26 February 2018 11:50
To: Aaron West
Cc: Wang Bin ; haproxy
Subject: Re: Re: haproxy tcp mode source ip
Hi:
Thank you. Is this method IP only displayed in the log? I want to control
IP privileges.
Re: Re: haproxy tcp mode source ip
Hi: Thank you. Is this method IP only displayed in the log? I want to control IP privileges. mingbei...@baifendian.com 徐铭贝 数据仓库助理工程师 平台业务部 Mobile: +86-15801118167 E-mail:mingbei...@baifendian.com BAIFENDIAN.COM - Big Data Practitioner 北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层 From: Aaron West Date: 2018-02-26 18:14 To: mingbei...@baifendian.com CC: Wang Bin; haproxy Subject: Re: Re: haproxy tcp mode source ip Yes, you can use TPROXY instead of Proxy Protocol if you don't mind the additional routing changes(Need to move to two-arm with real servers setting the GW to be the HAProxy server). You can see an example in this short Blog here: https://loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x/ Aaron West Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 aa...@loadbalancer.org LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
Re: Re: haproxy tcp mode source ip
Hi: Thank you. haproxy support HTTP1.1 ? Can Haproxy and TPROXY be ok ? mingbei...@baifendian.com 徐铭贝 数据仓库助理工程师 平台业务部 Mobile: +86-15801118167 E-mail:mingbei...@baifendian.com BAIFENDIAN.COM - Big Data Practitioner 北京市朝阳区北辰西路8号院2号楼北辰世纪中心A座16层 From: Wang Bin Date: 2018-02-26 17:10 To: mingbei...@baifendian.com CC: haproxy Subject: Re: haproxy tcp mode source ip It's not possible to obtain original IP address in TCP proxy mode. If your backend supports proxy protocol, you can enable proxy protocol to pass original IP to your backend. 2018-02-26 16:06 GMT+08:00 mingbei...@baifendian.com : > Hi: > Hello, great big brother, haproxy gets the source IP in the TCP mode, > not the IP address of the haproxy, Thanks; > > > > 徐铭贝 > > Mobile: +86-15801118167
haproxy tcp mode source ip
Hi: Hello, great big brother, haproxy gets the source IP in the TCP mode, not the IP address of the haproxy, Thanks; 徐铭贝 Mobile: +86-15801118167
