AWS elb Proxy protocol breaking deis/builder
guilhermef opened this issue · 8 comments
Trying to get the client IP on my app request, I hit an issue with proxy protocol.
I've enable on the AWS elb and on the deis-router, It works fine through nginx,
but If I try to push my app to the deis/builder, it breaks the request.
Since K8s enables proxy protocol to every listener on the service, including the deis/builder.
Not supporting proxy protocol on the deis/builder, might be an issue.
This seems to be a bug in the nginx config section for the builder tcp proxy, which looks like:
listen 2222;
Instead of:
listen 2222 {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
It looks like the proxy_protocol
support for TCP proxies was added in 1.11.4, so we also need to bump the nginx version. Currently 1.11.2 is used.
Master is on 1.11.4
:-) https://github.com/deis/router/blob/master/rootfs/Dockerfile#L17
Thanks @felixbuenemann
Yeah, I just noticed when looking at the Dockerfile
. PR created.
Looks like end-to-end client ips will finally be possible on AWS.
We only needed the most bleeding edge nginx available ;-)
I just tested this end-to-end on my deis 2.5.0 staging cluster running on AWS:
- Switched deis-router deployment to
image: quay.io/deisci/router:git-22241ea
- Added annotation
router.deis.io/nginx.useProxyProtocol: "true"
to the deis-router deployment - Added
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
to the deis-router service annotations - Pushed a new release for an app to the builder
All working fine now!
I've created deis/workflow#522 to add a section on PROXY protocol configuration to the workflow docs.