Closed
Description
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50470
- Created at 2019-06-25 16:16:55 by mreynolds (@mreynolds389)
- Assigned to mhonek (@kenoh)
- Associated bugzillas
Ticket was cloned from Red Hat Bugzilla: Bug 1382123
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem:
Please add support to 389-base for the PROXY protocol for ACI evaluation and
also for logging client queries. The proxy protocol is described here:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
Background:
As a network engineer, I can say that having a load balancer in path in your
network is a bad idea. It is bad because it becomes part of the network and it
becomes the weakest link. It limits the capacity of the network and becomes
additional points of failure in the network. The ideal place for a load
balancer is on the side, with the client traffic being network address
translated to address ranges from SNAT pools, where the server recieving the
traffic never directly sees the IP address of the client.
Loadbalancing out of path traffic to a group of ldap servers presents a
semi-unique problem when ACIs must be evaluated against client IP address and
also for client logging. The PROXY protocol provides provides this information
to the backend servers via an additional TCP header so that the ACIs can be
correctly evaluated and client traffic can be logged.
A great example of non-http software that is capable of using the additional
tcp header is the Postfix MTA. There is an announcement here:
http://permalink.gmane.org/gmane.comp.web.haproxy/8881
Version-Release number of selected component (if applicable):
Thank you for your consideration.