-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix proxy protocol for Health Check frontend & Set stick-table size to IPv6 #633
Fix proxy protocol for Health Check frontend & Set stick-table size to IPv6 #633
Conversation
6fb9121
to
3c4cede
Compare
8b953fb
to
66ba663
Compare
367aab3
to
34195df
Compare
34195df
to
fc77930
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approval for CI only
fc77930
to
6acb0ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approval for CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approve for CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving for CI.
7066930
to
a2d313f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approve for CI
7e52dc0
to
c921f3f
Compare
a6907fe
to
de6f849
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approval for CI
31549be
to
f9e30b4
Compare
(bpm, bosh-stemcells)
f9e30b4
to
82bf964
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approval for CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approve for CI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
…o IPv6 (cloudfoundry#633) * fix(proxy-protocol): fix proxy protocol for Health Check frontend * docs: Adjust spec description for accept_proxy * test: Add spec test * feat: Set stick tables to type ipv6 * test: fix linter error in test case * fix: Check the value of accept_proxy for http health checks * feat: Add check for required files to run-local.sh (bpm, bosh-stemcells) * feat: (WIP) Proxy Protocol Check for Traffic Endpoint * test: add auto-download of stemcells for local test * fix(test): fix auto-download method for when all files are present * fix: Finish proxy_protocol acceptance test * fix: Linter fixes, remove unneeded changes * fix: remove go toolchain * fix: typo in docstring --------- Co-authored-by: Tamara Boehm <[email protected]> Co-authored-by: Alexander Lais <[email protected]>
…o IPv6 (cloudfoundry#633) * fix(proxy-protocol): fix proxy protocol for Health Check frontend * docs: Adjust spec description for accept_proxy * test: Add spec test * feat: Set stick tables to type ipv6 * test: fix linter error in test case * fix: Check the value of accept_proxy for http health checks * feat: Add check for required files to run-local.sh (bpm, bosh-stemcells) * feat: (WIP) Proxy Protocol Check for Traffic Endpoint * test: add auto-download of stemcells for local test * fix(test): fix auto-download method for when all files are present * fix: Finish proxy_protocol acceptance test * fix: Linter fixes, remove unneeded changes * fix: remove go toolchain * fix: typo in docstring --------- Co-authored-by: Tamara Boehm <[email protected]> Co-authored-by: Alexander Lais <[email protected]>
This Pull Request introduces two changes to enhance the IPv6 support of
haproxy-boshrelease
:1. Proxy Protocol Adjustment for Health Check Frontend
AWS Network Load Balancers (NLBs) utilize the same Proxy Protocol setting for both forwarded traffic and health checks, as outlined in the AWS documentation.
The existing
accept_proxy
configuration property only applies theaccept-proxy
setting (refer to the HAProxy documentation) to thehttp
andhttps
frontends, excluding the health check frontend. This exclusion leads to the HAProxies being perceived as unhealthy by the load balancer once the feature is activated.It is not feasible to globally enable
accept-proxy
for the health check frontend becausemonit
also utilizes this frontend for the Remote host Service check, and it does not support the Proxy Protocol. Therefore, we are employing theexpect-proxy
feature to avoid expecting the proxy protocol for requests originating from localhost (i.e.,monit
).2. Stick-Table Size Adjustment for IPv6
Currently, requests from IPv6 source addresses (either via Proxy Protocol or when HAProxy operates in dualstack/
v4v6
enabled-mode) cannot be rate-limited. This limitation is due to the stick tables used for rate limiting being of theip
type, which cannot store the longer IPv6 addresses. This PR modifies the type toipv6
, enabling the storage of both IPv4 and IPv6 addresses (see HAProxy documentation). The additional memory overhead is negligible.