On 2020-07-17 17:17 +0000 (+0000), Michael Johnson write: [...] > To use the PROXY protocol you would set up the load balancer like this: > 1. Create the load balancer. > 2. Create the listener using HTTPS pass through, so either the "HTTPS" > or "TCP" protocol. > 3. Create the pool using the "PROXY" protocol option. > 4. Add your members and health manager as you normally do. > > Then, on the web servers enable PROXY protocol. > On apache this is via the mod_remoteip module and the > RemoteIPProxyProtocol directive. See: > > https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotocol > On nginx it is enabled with the "proxy_protocol" directive. See: > > https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ > > Pretty much every web server has support for it. [...] Neat! Somehow this is the first I've heard of it. An attempt at a formal specification seems to be published at http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt but I'm not finding any corresponding IETF RFC draft. I agree it looks like a viable solution to the question posed (so long as the LB and servers have support for this custom protocol/encapsulation). Way less problematic than DSR, just unfortunately handled as a de facto standard from what I can see, but looks like https://tools.ietf.org/id/draft-schwartz-tls-lb-00.html touches on ways to hopefully provide a more extensible solution in the future. -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200717/c1338ac0/attachment.sig>