Hi,

I have a problem that I don't know how to resolve. It is very appreciated
if anyone could share some thought on how to resolve it.

Scenario:
I have an ELB setup in AMS cloud, there are two apache servers (2.4.4)
behind the ELB, act as gateway, the apache servers is listing to port 443
which is a HTTPS port, ELB is setup with TCP/SSL, when a request comes in
to ELB, ELB will forward it to apache servers, and apache servers will
forward it to down stream servers with proxypass directive.

Issue:
There is an issue in this setup, the ELB is stopping the down stream server
to get source IP address of the request, what apache server can see is the
message is coming from ip addresses of ELB instances, not the actual
sender's ip address. I can not change the ELB to use HTTP/HTTPS and take
advantage of the "X-Forward-" headers, because the special mutual
authentication I need for the apache instances. The ELB of AWS support a
TCP protocol called "Proxy Protocol v1" which is able to forward the source
ip address to apache.

Proxy Protocol:
Proxy Protocol is a protocol for TCP/SSL load balancer to carry source IP
address information and forward to down stream servers, the message with a
HTTP GET request would looks like:

    PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
    GET / HTTP/1.1\r\n
    Host: 192.168.0.11\r\n
    \r\n

Basically this protocol add a new line after the TCP headers and before the
body.
For HTTPS it is more complex, I imagine the message for HTTPS would looks
like:

    PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
    <Encrypted binary>

Here is the link to the protocol:

http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Question:

Obviously this new line before the request body will cause SSL and
other module fail, how we going to support this "Proxy Protocol" ?


Thanks

JJ

Reply via email to