AWS elb Proxy protocol breaking deis/builder

Question

AWS elb Proxy protocol breaking deis/builder

guilhermef opened this issue 8 years ago · 8 comments

Trying to get the client IP on my app request, I hit an issue with proxy protocol.
I've enable on the AWS elb and on the deis-router, It works fine through nginx,
but If I try to push my app to the deis/builder, it breaks the request.

Since K8s enables proxy protocol to every listener on the service, including the deis/builder.
Not supporting proxy protocol on the deis/builder, might be an issue.

Answer 1 · 2016-09-27T20:03:39.000Z

This seems to be a bug in the nginx config section for the builder tcp proxy, which looks like:

listen 2222;

Instead of:

listen 2222 {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};

Answer 2 · 2016-09-27T20:23:13.000Z

It looks like the proxy_protocolsupport for TCP proxies was added in 1.11.4, so we also need to bump the nginx version. Currently 1.11.2 is used.

Answer 3 · 2016-09-27T20:25:22.000Z

Master is on 1.11.4 :-) https://github.com/deis/router/blob/master/rootfs/Dockerfile#L17

Answer 4 · 2016-09-27T20:26:32.000Z

Thanks @felixbuenemann

Answer 5 · 2016-09-27T20:27:32.000Z

Yeah, I just noticed when looking at the Dockerfile. PR created.

Looks like end-to-end client ips will finally be possible on AWS.

Answer 6 · 2016-09-27T20:28:09.000Z

We only needed the most bleeding edge nginx available ;-)

Answer 7 · 2016-09-27T21:43:01.000Z

I just tested this end-to-end on my deis 2.5.0 staging cluster running on AWS:

Switched deis-router deployment to image: quay.io/deisci/router:git-22241ea
Added annotation router.deis.io/nginx.useProxyProtocol: "true" to the deis-router deployment
Added service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' to the deis-router service annotations
Pushed a new release for an app to the builder

All working fine now!

Answer 8 · 2016-09-27T23:11:01.000Z

I've created deis/workflow#522 to add a section on PROXY protocol configuration to the workflow docs.