Support HAProxy proxy protocol for broker and proxy #8686
Conversation
codelipenghui
added
the
doc-required
| @@ -169,6 +171,11 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws E | |||
|
|
|||
| @Override | |||
| public void channelRead(final ChannelHandlerContext ctx, Object msg) throws Exception { | |||
| System.out.println(haProxyMessage); | |||
|
@diegosalvi you have recently implemented this feature on EmailSuccess, can you please take a look? |
conf/broker.conf
Outdated
| @@ -55,6 +55,9 @@ advertisedAddress= | |||
| # The Default value is absent, the broker uses the first listener as the internal listener. | |||
| # internalListenerName= | |||
|
|
|||
| # Enable or disable the proxy protocol. | |||
| proxyProtocolEnabled=false | |||
There was a problem hiding this comment.
This naming can be confusing since we already have a "proxy" for Pulsar protocol
There was a problem hiding this comment.
How about change to haProxyProtocolEnabled?
There was a problem hiding this comment.
haProxyProtocol looks much better than proxyProtocol.
There was a problem hiding this comment.
Ok, sounds good.
|
/pulsarbot run-failure-checks |
| }); | ||
| } | ||
|
|
||
| private ByteBuf encodeProxyProtocolMessage(HAProxyMessage msg) { | ||
| // Max length of v1 version proxy protocol message is 108 | ||
| ByteBuf out = Unpooled.buffer(108); |
There was a problem hiding this comment.
Actually maximum record size is 107 by spec:
-
worst case (optional fields set to 0xff) :```
"PROXY UNKNOWN ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
=> 5 + 1 + 7 + 1 + 39 + 1 + 39 + 1 + 5 + 1 + 5 + 2 = 107 chars
[...]
The receiver must wait for the CRLF sequence before starting to decode the
addresses in order to ensure they are complete and properly parsed. If the CRLF
sequence is not found in the first 107 characters, the receiver should declare
the line invalid.
There was a problem hiding this comment.
I'm using the netty-haproxy-codec directly. I think netty codec already handled this?
There was a problem hiding this comment.
I just noticed the max length for v1 is 108 https://github.com/netty/netty/blob/4.1/codec-haproxy/src/main/java/io/netty/handler/codec/haproxy/HAProxyMessageDecoder.java#L37
| @@ -118,6 +119,9 @@ protected void initChannel(SocketChannel ch) throws Exception { | |||
| ch.pipeline().addLast("ByteBufPairEncoder", ByteBufPair.ENCODER); | |||
| } | |||
|
|
|||
| if (pulsar.getConfiguration().isHaProxyProtocolEnabled()) { | |||
| ch.pipeline().addLast(OptionalProxyProtocolDecoder.NAME, new OptionalProxyProtocolDecoder()); | |||
There was a problem hiding this comment.
I think we should have the possibilitiy to require proxy headers instead of handle them as optional.
Specification itself states:
The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access.
There was a problem hiding this comment.
This is a flag to control if users want to enable the haproxy protocol support. We must provide a way to disable this feature.
There was a problem hiding this comment.
Sure! What I was saying is that there isn't a way to REQUIRE proxy header if pulsar.getConfiguration().isHaProxyProtocolEnabled(). Specs states that is MUST expect a proxy header, it isn't optional. There could be another option to handle optional/mandatory
| InetSocketAddress proxyAddress = (InetSocketAddress) inboundChannel.remoteAddress(); | ||
| String destinationAddress = proxyAddress.getAddress().getHostAddress(); | ||
| int destinationPort = proxyAddress.getPort(); | ||
| HAProxyMessage msg = new HAProxyMessage(HAProxyProtocolVersion.V1, HAProxyCommand.PROXY, |
There was a problem hiding this comment.
netty-haproxy can decode binary v2 version too (but doesn't implements encoding).
We could add another encoding method for v2 protocol and let the configurer choose which use.
For the encoding implementation I've done one for subethamail if you want take a peek. It has been done for testing purposes (so it permits some strange behaviour to check various edge cases and "wrong" headers and can surely be simplified): https://github.com/davidmoten/subethasmtp/blob/master/src/test/java/org/subethamail/smtp/internal/proxy/ProxyProtocolV2HandlerTest.java
There was a problem hiding this comment.
It's not a required for this PR, we can support the proxy set the different protocol version in the following PRs.
sijie
added
cherry-pick/2.6.3
release/2.6.3
release/2.7.1
and removed
cherry-pick/2.6.3
labels
|
/pulsarbot cherry-pick to branch-2.6 |
|
/pulsarbot cherry-pick to branch-2.7 |
### Motivation Currently, if enable the proxy in the pulsar cluster and client connect to the cluster through the proxy, when we get topic stats, the consumer address and producer address are not the real client address. This PR fix this problem by leverage HAProxy proxy protocol since this is a more general approach. more details about the proxy protocol see https://www.haproxy.com/blog/haproxy/proxy-protocol/ https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt ### Modifications Allow enable proxy protocol on proxy or broker. ### Verifying this change Tests added (cherry picked from commit 625627c)
### Motivation Currently, if enable the proxy in the pulsar cluster and client connect to the cluster through the proxy, when we get topic stats, the consumer address and producer address are not the real client address. This PR fix this problem by leverage HAProxy proxy protocol since this is a more general approach. more details about the proxy protocol see https://www.haproxy.com/blog/haproxy/proxy-protocol/ https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt ### Modifications Allow enable proxy protocol on proxy or broker. ### Verifying this change Tests added (cherry picked from commit 625627c)
|
/pulsarbot cherry-pick to branch-2.6 |
Currently, if enable the proxy in the pulsar cluster and client connect to the cluster through the proxy, when we get topic stats, the consumer address and producer address are not the real client address. This PR fix this problem by leverage HAProxy proxy protocol since this is a more general approach. more details about the proxy protocol see https://www.haproxy.com/blog/haproxy/proxy-protocol/ https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Allow enable proxy protocol on proxy or broker. Tests added (cherry picked from commit 625627c)
Currently, if enable the proxy in the pulsar cluster and client connect to the cluster through the proxy, when we get topic stats, the consumer address and producer address are not the real client address. This PR fix this problem by leverage HAProxy proxy protocol since this is a more general approach. more details about the proxy protocol see https://www.haproxy.com/blog/haproxy/proxy-protocol/ https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Allow enable proxy protocol on proxy or broker. Tests added (cherry picked from commit 625627c) (cherry picked from commit 3813062)
Anonymitaet
removed
the
doc-required
Motivation
Currently, if enable the proxy in the pulsar cluster and client connect to the cluster through the proxy, when we get topic stats, the consumer address and producer address are not the real client address. This PR fix this problem by leverage HAProxy proxy protocol since this is a more general approach. more details about the proxy protocol see
https://www.haproxy.com/blog/haproxy/proxy-protocol/
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
Modifications
Allow enable proxy protocol on proxy or broker.
Verifying this change
Tests added
Does this pull request potentially affect one of the following parts:
If
yeswas chosen, please highlight the changesDocumentation