Add generic TCP proxying support

[magiconair]

This issue tracks the request from #1 to add support for generic TCP proxying support in fabio.

So far fabio supports the TCP+SNI proxy for full-end-to-end encryption but not any dynamic listeners, i.e. you cannot route MySQL traffic through fabio yet.

[nugend]

@magiconair subbed, thanks.

[jbye]

Subbed.
My use case is that I would like to use Fabio to load balance Thrift-based microservices that are registered in Consul.

[magiconair]

@jbye why not use the consul service discovery instead? Then you don't need fabio for this. That's what we're doing.

[panga]

+1

@magiconair I'm using Fabio to route Docker based microservices, so it binds to random ports on host.
I would like use Fabio to route TCP based traffic through a fixed port...

[tkald]

+1
I'd like to balance imap / smtp traffic

Proxy protocol support to tcp would be also awsome :)

[shantanugadgil]

My use case is:

• non HTTPS services; launched using Nomad and registered into Consul.
  I wanted to use Fabio to discover a named service within Consul; say "myservice" and then roundrobin between the registered backends (IP:PORT) for that single service.

*** The backend port could vary as I am using Docker with Nomad's ephemeral port logic.

Thanks and Regards,
Shantanu

[magiconair]

@shantanugadgil myservice would be a non-HTTP and non-HTTPS service, right?

[shantanugadgil]

@magiconair yes, that's correct, "myservice" would be custom app.

[magiconair]

The release-branch-1.4 contains a working implementation of a generic TCP proxy. It should also support TLS on the inbound socket but I haven't tested that yet. This should work by setting a certificate source with cs=name. I need to polish and document some more code but would appreciate some early feedback whether this is working in general.

The following command will start TCP proxy on port 1234 in fabio and route requests to all servers which have registered with tag urlprefix-:1234 proto=tcp

./fabio -proxy.addr ':1234;proto=tcp'

The demo/server has been updated to provide a simple TCP echo server.

cd demo/server
go build
./server -addr 127.0.0.1:5000 -proto tcp -prefix :1234 &
./server -addr 127.0.0.1:5001 -proto tcp -prefix :1234 &
...

nc 127.0.0.1 1234
Hello
[127.0.0.1:5001] Hello
^C

You can also register multiple tags to map several inbound ports to one service. You can try this with

./server -addr 127.0.0.1:5000 -proto tcp -prefix :1234,:5678

Please note however, that fabio needs to have all listening ports configured upfront. That is something that I'd like to change in a subsequent change.

One side effect which I'd like to clean up before merging is that the route commands still contain URLs as target addresses, e.g.

+ route add server :1234 http://127.0.0.1:5001/ tags "urlprefix-:1234 proto=tcp" opts "proto=tcp"
+ route add server :1234 http://127.0.0.1:5000/ tags "urlprefix-:1234 proto=tcp" opts "proto=tcp"

Feedback is very welcome!

[magiconair]

One note: The release-branch-1.4 requires Go 1.8

[ptariche]

👍

[nugend]

I'd like to test, but I'd have to spend some time figuring out how to install go in a custom root.

[magiconair]

@nugend Would it help if I provide a binary?

[nugend]

Yes. Thank you.

[magiconair]

@nugend Here you go: https://github.com/eBay/fabio/releases/tag/v1.4beta1

[nugend]

Will test it out first thing tomorrow! Thanks!

[panga]

@magiconair,

I've tested the new TCP proxy settings, it works like I expected!

Just a few questions:

1. Do you plan to add support for dynamic listening ports?
2. When do you plan to release 1.4 branch?

Thank you!!

[magiconair]

@panga That's good to know. Thanks for testing this. To your questions:

1. dynamic listening ports: yes, but that requires some more refactoring since I need to shut them down as well.
2. I'd like to spend some more thought on how the tcp proxy support is expressed in the config language. Right now the upstream server is still referred to via http:// which is wrong. I'd also like to get an idea on the state of the TLS support. Other than that, I don't foresee any other major changes for the 1.4 branch. I'll try to find some time to clean this up this week and aim for a release next week.

[magiconair]

@nugend did you also get a chance to test the tcp proxy in 1.4beta1?

[nugend]

Yes! Sorry for the delay. Seems to work great! We'll probably try using it for inbound client connections when we have some time on our schedule.

[magiconair]

I've added a test which verifies that TLS termination works on the TCP proxy. This now allows the following options:

• Proxy a raw TCP connection based on ports
• Proxy a TLS encrypted TCP connection without decryption based on SNI server name
• Proxy a TLS encrypted TCP connection and terminate TLS on fabio

I've rebased the release-branch-v1.4 which means I had to re-roll the 1.4beta1 build. Probably, shouldn't have merged the small changes into master in the first place.

In any case, I've tagged and pushed v1.4rc1 which will become v1.4 unless someone finds a bug.

P.S.: They're also on docker hub.

[magiconair]

merged to master

[rodrigoraval]

Guys,

I am facing some issue close to this one, could you please help me on that?

#266

Thanks