Comments (7)
For those not familiar with PROXY protocol, the header includes the clients IP address, the clients source port and the clients destination port, which would be the port on the load balancer terminating SSL.
from router.
I think the following would work (untested):
{{ if $routerConfig.UseProxyProtocol -}}
map $proxy_protocol_port $proxy_protocol_scheme {
default $scheme;
"80" "http";
"443" "https";
}
{{- end }}
map $http_x_forwarded_proto $tmp_access_scheme {
{{ if $routerConfig.UseProxyProtocol -}}
default $proxy_protocol_scheme;# if X-Forwarded-Proto header is empty, $tmp_access_scheme will be the proxy protocol used
{{- else -}}
default $scheme; # if X-Forwarded-Proto header is empty, $tmp_access_scheme will be the actual protocol used
{{- end }}
"~^(.*, ?)?http$" "http"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value
"~^(.*, ?)?https$" "https"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value
"~^(.*, ?)?ws$" "ws"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value
"~^(.*, ?)?wss$" "wss"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value
}
from router.
Before I go too deep into this issue... if you're terminating SSL at the load balancer, your load balancer already speaks HTTP/S. An option, therefore, would be to configure it to set the X-Forwarded-For HTTP header instead... if on AWS or GKE, this is actually automatic. Just disable PROXY proto on the router end and you're back in business with real client IPs.
from router.
No, if you're terminating SSL at the load balancer it still speaks TCP. If you are terminating HTTPS it speaks HTTP, but than for example on ELB WebSockets won't work.
from router.
Btw. I know that terminating SSL at the ELB has drawbacks like loosing support for HTTP/2 (because the ELB does not negotiate HTTP/2 over ALPN), but many people like to use it to be able to use Amazon Certificate Manager.
from router.
I stumbled upon this issue when googling a solution to the very same problem you're having.
After having implemented it, I realized that $proxy_protocol_port
is actually the client's port, and not the destination port. The destination port is not available as a variables.
https://trac.nginx.org/nginx/ticket/1206 is a feature request to expose the destination port.
from router.
This issue was moved to teamhephy/router#12
from router.
Related Issues (20)
- need annotation for nginx proxy_buffer_size HOT 5
- When using proxy protocol, X-Forwarded-For header should be set to $proxy_protocol_addr HOT 4
- TCP support for Deis applications HOT 22
- HPKP Public-Key-Pins Header HOT 7
- Per domain real_ip_header HOT 1
- When <sub>.example.com domain is added to app on example.com cluster, ssl configuration is missing HOT 1
- Clickjacking prevention header? X-Frame-Options HOT 2
- Random 502 bad gateway HOT 10
- There's no point in having Travis build HOT 5
- Trouble setting service_annotations via chart values file HOT 4
- Proposal: Add aws load balancer timeout override to service template HOT 2
- Router makes zombies permanently HOT 9
- Claiming a reserved name for the router HOT 3
- Documentation still has some references to Helm Classic HOT 3
- GKE Failed: Create Address error` HOT 2
- Custom "Site Maintenance" page HOT 3
- Deis router picks up non-Deis traffic HOT 15
- Config builder silently fails with missing annotations HOT 2
- Support non-HTTP, streaming apps HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from router.