Is it possible to use PROXY protocol?
jsobiecki opened this issue · 6 comments
Hello,
Thank you for your work regarding varnish-operator! I'm investigating this right now and run into one problem:
I'm exploring now, how to enable PROXY support at varnish cluster provisioned by operator. This generally illustrate my use-case: https://www.varnish-software.com/developers/tutorials/proxy-protocol-varnish/#proxy-protocol-over-tcp.
According to docs, I should add something "-a :8443,PROXY" parameter.
Unfortunately, operator doesn't allow me to add this option. Is there a way to put varnish in "PROXY" mode, or simply bypass operator validation?
Thanks for the issue @jsobiecki. Unfortunately, we did not anticipate this use case and have explicitly blocked users from using the -a option. @tomashibm is going to work on a PR to address this issue. For our own edification, can you talk about your use case a bit? How are you using varnish and how is it setup? Thanks!
@jsobiecki you should be able to append additional -a options with the latest release
Thank you for prompt response! I can confirm it works.
@cin It's bit of experiment. What I wanted to achieve was something like
[ WORLD ] => [ LOAD BALANCER / SSL TERMINATION ] => [VARNISH CLUSTER] => [INGRESS NGINX]
So I wanted to make sure that all traffic (for specific load balancer) goes through varnish, varnish provides cache or redirects traffic to external servers (eg. it works as S3 gateway).
I wanted to use PROXY protocol, as load balancer supports this, so I wanted to maintain correct client ips).
I have seen this setup seemed to work (after adding PROXY support). Unfortunately, looks I will need to change it (cloud controller for my provider is bit limited and it's not possible to have SSL termination and working HTTP port (not related to varnish). Because of that, I'll probably change the setup and resign from SSL termination at load balancer and inject separate ingress to handle SSL and route all traffic through varnish.
Thanks for the details @jsobiecki. Can you not configure or change out your load balancer to support SSL termination? Hopefully adding an extra layer for SSL termination won't be too costly but it'd definitely be nice to not have to do that. Hopefully @tomashibm's updates last week will at least allow you to use proxy mode now. Let us know how things go!
Hi guys, thanks to proxy protocol support, I was able to implement my use case. I had to change ingress controller from nginx to haproxy, but finally, it worked as expected.
Generally it's [WORLD] => [ SSL TERMINATION] => PROXY PROTOCOL => HAPROXY => PROXY PROTOCOL => VARNISH =>....
Great to hear @jsobiecki. GL!