contrib/sni-router: use host networking for HAProxy to preserve client IPs#520
Closed
dolonet wants to merge 1 commit into
Closed
contrib/sni-router: use host networking for HAProxy to preserve client IPs#520dolonet wants to merge 1 commit into
dolonet wants to merge 1 commit into
Conversation
…t IPs Move HAProxy into the host network namespace so it sees the real client source IP on inbound connections. With bridge networking + published ports the source IP is rewritten to the bridge gateway by the runtime (Docker's userland-proxy, rootless Podman's slirp4netns or pasta), and the PROXY v2 header HAProxy then sends to mtg and Caddy carries that useless address. mtg and Caddy stay on the compose bridge and publish their ports on host loopback; the host-mode HAProxy dials them at 127.0.0.1. Caddy's proxy_protocol allow list is tightened to loopback only. The 'sysctls: net.ipv4.ip_unprivileged_port_start=80' line is removed because Docker refuses to apply namespaced sysctls when the netns is shared with the host. Rootless Podman users binding the privileged ports need the equivalent host-side sysctl once; this is documented in README.md. Fixes #498.
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #498.
Problem
With the current compose, HAProxy runs on the compose bridge and the host's
:443/:80are published viaports:. Docker's userland proxy (default) and rootless Podman'sslirp4netns/pastaboth rewrite the source IP to the bridge gateway on the way in. HAProxy then stamps that gateway address (e.g.172.28.0.1) into the PROXY v2 header it sends to mtg and Caddy, so neither backend ever logs the real client IP. Affects every runtime the example targets: rootful Docker (anyuserland-proxysetting), rootless Podman, and Docker on Fedora 29+.Fix
Move HAProxy into the host network namespace (
network_mode: host). It binds the host's:443/:80directly, sees the real client IP, and forwards it via PROXY v2 to the backends. mtg and Caddy stay on the compose bridge and publish on host loopback; HAProxy dials them at127.0.0.1. Caddy'sproxy_protocol allowis tightened to loopback only.Trade-off
HAProxy now occupies the host's
:443and:80; nothing else on the host may listen on those ports. For a dedicated mtg/SNI-router host that is the intended layout. README has a new "Why host networking" section documenting this and the rootless-Podman sysctl prerequisite.Notes
sysctls: net.ipv4.ip_unprivileged_port_start=80line is removed: it is incompatible withnetwork_mode: host(Docker refuses to apply namespaced sysctls when the netns is shared with the host). The equivalent host-side setting is documented in README for rootless Podman users.nineseconds/mtg:2; compose: fix non-functional 'host' option #514 handles the bump independently. Thehost = "web"fronting target already on master needs an mtg image carrying config: accept hostname for [domain-fronting] target #480 to work — same prerequisite as today, unchanged by this PR.haproxy -c,caddy validate, and YAML parse on the final files.