On 2020-07-17 17:17 +0000 (+0000), Michael Johnson write: [...]
To use the PROXY protocol you would set up the load balancer like this: 1. Create the load balancer. 2. Create the listener using HTTPS pass through, so either the "HTTPS" or "TCP" protocol. 3. Create the pool using the "PROXY" protocol option. 4. Add your members and health manager as you normally do.
Then, on the web servers enable PROXY protocol. On apache this is via the mod_remoteip module and the RemoteIPProxyProtocol directive. See:
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotoco... On nginx it is enabled with the "proxy_protocol" directive. See:
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Pretty much every web server has support for it. [...]
Neat! Somehow this is the first I've heard of it. An attempt at a formal specification seems to be published at http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt but I'm not finding any corresponding IETF RFC draft. I agree it looks like a viable solution to the question posed (so long as the LB and servers have support for this custom protocol/encapsulation). Way less problematic than DSR, just unfortunately handled as a de facto standard from what I can see, but looks like https://tools.ietf.org/id/draft-schwartz-tls-lb-00.html touches on ways to hopefully provide a more extensible solution in the future. -- Jeremy Stanley