-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable parsing HAProxy's Proxy protocol for TCP Servers #2492
Comments
I have tentative code that works for this, but it assumes that a few hacks used when interacting with Tornado actually work:
This code supports parsing PROXY protocol (version 1), though it could be tailored for version 2. (Also, error-checking could probably be done on the IP addresses and ports to make sure that they are actually valid IPs.) @bdarnell , assuming you provide a clean way to put bytes back into the stream as documented in the code comments, (and maybe also assuming you provide a slightly cleaner way to handle the max bytes issue without blindly closing the connection), this code should transparently parse out HTTP connections behind a load balancer which may or may not be enabled with the proxy protocol (v1). I've even tested this by updating some load balancer with and without the proxy protocol without ever shutting down the underlying server. This makes migrations for HTTP (and potentially other TCP) servers substantially easier without complicating a whole bunch of infrastructure to put the proxy protocol in a different port. It CAN be done, and tornado should at least support some framework calls to make it possible, even if you don't want to implement it directly in tornado itself. |
Hello, recently I worked with Tornado and HAProxy, so here is my solusion for Proxy protocol version 2(ppv2)
This solution originates in @eulersIDcrisis code, but I altered it a little bit and it works fine with Tornado(6.2.0-3) and Python(3.11.2). Not all fetures are implemented(I simply didn't needed them) |
Most of the time, tornado runs an HTTP(S) server or similar, and can run behind something like nginx that can supply X-* headers to get the client's real IP address.
However, Tornado is capable of running non-HTTP services over TCP; in these cases, some load balancers support passing the client IP information via the HAProxy Proxy Protocol, as described here:
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
It would be handy to have the parsing of the proxy protocol to be built into Tornado, so that the client's real IP address can be acquired in the non-HTTP settings.
It would also be useful, specifically in the HTTP case, to autodetect the proxy protocol (if configured to do so, of course) and update everything accordingly so yet another nginx server or similar isn't required.
The text was updated successfully, but these errors were encountered: