Proxy protocol support #10645
Comments
|
We don't have plans to add something like this to the server. Our current recommendation is to use the |
|
Note for 3.0 we're adding support for client certificates forwarded in headers (and then using them for authentication). #9756 |
|
@anurse XFF header cannot be injected into encrypted traffic. If we terminate SSL earlier, service will not be able to performe Mutual TLS as SSL is already offloaded. @Tratcher That is nice but it requires to have some other services in a front of our service who can get client certificate and put it in defined http header. Is there any other solution? |
|
Terminating SSL on NGinx and forwarding the client cert and IP is your best option. |
|
Thanks @Tratcher! |
ghost
locked as resolved and limited conversation to collaborators
amcasey
added
area-networking
Is your feature request related to a problem? Please describe.
I have Kubernetes Cluster with NginX Reverse proxy in a front of worker nodes. Some of my services require Mutual TLS and I setup SSL Pass-trough on NginX Reverse proxy and on Kubernetes Ingress Controller (also NginX). When request hits my services (Kestrel web server), remote (source) IP is IP address of Kubernetes Ingress Controller but not original client IP. It creates me a problem as I need to check ACL based on client IP address. Enabling proxy protocol on both of NginX services I'm able to deliver original client IP to Kestrel but Kestrel at the moment doesn't know to speak proxy protocol in order to get original client IP.
Describe the solution you'd like
I would like to see proxy protocol support for Kestrel web server.
Describe alternatives you've considered
As service itself needs to to Mutual TLS, I see no alternatives for this problem.
Additional context
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
Thanks!
The text was updated successfully, but these errors were encountered: