Custom ProxyProtocol Listener Filter

[asayah]

PROXY Protocol

https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol#config-listener-filters-proxy-protocol

https://www.haproxy.org/download/1.9/doc/proxy-protocol.txt

Background:

The PROXY protocol provides a convenient way to safely transport connection
   information such as a client's address across multiple layers of NAT or TCP
   proxies. It is designed to require little changes to existing components and
   to limit the performance impact caused by the processing of the transported
   information.

Import implementation detail:

In both cases, the protocol simply consists in an easily parsable header placed
by the connection initiator at the beginning of each connection. The protocol
is intentionally stateless in that it does not expect the sender to wait for
the receiver before sending the header, nor the receiver to send anything back.

Proposal

The proposal here is to implement a custom listener filter which adds suppport for Proxy Protocol (https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol), but on error, instead of replicating the existing filter:

If there is a protocol error or an unsupported address family (e.g. AF_UNIX) the connection will be closed and an error thrown.

we will continue processing the connection without Proxy Protocol.

Gloo Edge

We enable/disable this filter using the Gateway resource:

// Enable ProxyProtocol support for this listener
google.protobuf.BoolValue use_proxy_proto = 8;

Previous issue related to PROXY protocol: #5116

Additional Notes

Yuval has some experience implementing a similar pattern for SNI inspection. If you pick this up, sync with him on how to approach.
This would be applied to the envoy-gloo-ee repository.

[phenixblue]

We're looking to support healthchecks from downstream load balancers that might not be able to wrap healthcheck requests in Proxy Protocol, but still support Proxy Protocol for all other traffic. We want these health checks to flow through the Gloo Edge Dataplane, not be exposed through a NodePort or something else.

The Cloud Foundry GoRouters have some existing implementation for this where it examines a request and checks for the Proxy protocol header, if it doesn't exist it processes it without Proxy Protocol (additional CPU overhead, but a lot of flexibility/compatibility)

The most simplistic thing I can thing of is maybe an Envoy Filter that can disable Proxy Protocol on a per service config based on config within the VirtualService spec.

[sam-heilbron]

Reached out via Slack to discuss this further.

[sam-heilbron]

The proposal here is to implement a custom listener filter which adds suppport for Proxy Protocol (https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol), but on error, instead of replicating the existing filter:

If there is a protocol error or an unsupported address family (e.g. AF_UNIX) the connection will be closed and an error thrown.

we will continue processing the connection without Proxy Protocol.

[kdorosh]

released in Gloo Enterprise 1.9.3 and 1.8.21