[openstack][octavia] transparent

Ignazio Cassano ignaziocassano at gmail.com
Fri Jul 17 18:25:49 UTC 2020


I mean acl on load balancer not on web servers.....

Il Ven 17 Lug 2020, 20:20 Ignazio Cassano <ignaziocassano at gmail.com> ha
scritto:

> Hello Michael, I forgot to ask if the configuration you suggested can
> support acl for clients ip address.
> Ignazio
>
> Il Ven 17 Lug 2020, 19:17 Michael Johnson <johnsomor at gmail.com> ha
> scritto:
>
>> Hi Ignazio,
>>
>> Currently the amphora driver does not support passing the client
>> source IP directly to the backend member server.
>>
>> However there are a few ways to accomplish this using the amphora driver:
>> 1. Use the proxy protocol for the pool.
>> 2. Terminate the HTTPS on the load balancer and add the X-Forwarded-For
>> header.
>>
>> To use the PROXY protocol you would set up the load balancer like this:
>> 1. Create the load balancer.
>> 2. Create the listener using HTTPS pass through, so either the "HTTPS"
>> or "TCP" protocol.
>> 3. Create the pool using the "PROXY" protocol option.
>> 4. Add your members and health manager as you normally do.
>>
>> Then, on the web servers enable PROXY protocol.
>> On apache this is via the mod_remoteip module and the
>> RemoteIPProxyProtocol directive. See:
>>
>> https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotocol
>> On nginx it is enabled with the "proxy_protocol" directive. See:
>>
>> https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
>>
>> Pretty much every web server has support for it.
>>
>> Michael
>>
>> On Fri, Jul 17, 2020 at 10:01 AM Ignazio Cassano
>> <ignaziocassano at gmail.com> wrote:
>> >
>> > Hello all, I have some end users who want to receive on their load
>> balanced web servers the client ip address for acl.
>> > They also want the https connection is terminated on web servers and
>> not on load balancer.
>> > Can I solve with octavia ?
>> > I read haproxy can act as transparent only when it is the default
>> router of backends.
>> > In our use case the default router is not the load balancer.
>> > Any help, please?
>> > Ignazio
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200717/5864d042/attachment.html>


More information about the openstack-discuss mailing list