Lack of proxy-protocol support prevents use of Kestrel with HAproxy in TCP mode

[ststeiger]

One of the advantages of using haproxy over nginx is, that you don't need nginx-PLUS (commercial offering) if you want to add SNI-hosts dynamically.
Another advantages of using HAproxy over nginx is that HAproxy can do SSL/TLS-passthrough forwarding.
Meaning HAproxy then doesn't need the ssl certificate etc, which is great, because then I only need to configure the SSL-key on Kestrel - especially if the SSL/TLS certificate changes at runtime (LetsEncrypt).

A further advantage is, that a TCP-level-proxy will not be limited by a proxy-pipeline, e.g. interfering with HTTP 1.1/2.0.

Now, I have multiple sites running on the same IP.
The way to do this with HAproxy is sni-header inspection.
But because Kestrel does not support the proxy protocol, it's impossible to get the client's IP .

GoLang has support for that since at least 4 years...
By breaking the ability to get the client's IP, you're breaking the ability to geolocate - which breaks the ability to adapt content to a user's region ...

When an intermediary service such as a proxy server or load balancer forwards an HTTP request, it appends the source address of the connection to the request’s "Forwarded" header in order to provide this information to subsequent intermediaries and to the back-end service to which the request is ultimately forwarded. However, if the connection is encrypted, intermediaries cannot modify the "Forwarded" header. In this case, the HTTP header will not accurately communicate the original source address when the request is forwarded.

To solve this problem, some load balancers encapsulate HTTP requests using the PROXY protocol as an alternative to simply forwarding HTTP. Encapsulation enables the load balancer to add information to the request without modifying the forwarded request itself. In particular, this means that the load balancer can communicate the source address even when forwarding an encrypted connection.

If Kestrel could be configured to accept PROXY-protocol connections, it could decapsulate the HTTP request.
Since Kestrel is the route termination, it could decrypt the request, and update the "Forwarded" HTTP header (and related HTTP headers) appending any source address that is communicated using the PROXY protocol.

e.g.

frontend https
    bind :443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend awx_example_com if { req_ssl_sni -i awx.example.com }
    use_backend goren_example_com if { req_ssl_sni -i goren.example.com }
    use_backend tower_example_com if { req_ssl_sni -i tower.example.com }

backend awx_example_com
    server awx 192.168.101.182:5001 send-proxy-v2

backend goren_example_com
    server goren 192.168.101.182:5002 send-proxy-v2

backend tower_example_com
    server tower 192.168.101.182:443 se5003nd-proxy-v2

[Tratcher]

It's not natively supported, but you can plug it in. Here's an example:
https://github.com/aspnet/AspLabs/blob/452634b6aff935dba07181fe70f614d5788076e0/src/ProxyProtocol/ProxyProtocol.Sample/Program.cs#L38

Notes for triage: This makes the third request for this feature (the other two were internal). It's not a lot, but it's slowly gaining interest.

[davidfowl]

Golang doesn't have this built in or maybe you meant something else because that link above is a library written in go, not the core libraries...

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[ststeiger]

@Tratcher: Thanks for that !
Had a fight with HAproxy config file.
And the result is - WoW, cool, it looks like it works, even with wildcard SNI !
I will check that in detail this evening.

@davidfowl: What I meant by that was that there's a library out there to support proxy-protocol since 4 years.
I searched for a .NET/Core library on google and found nothing.
But the code from AspLabs seems to work for what I have tested so far - so this is solved now, for the time being anyway.
Don't know if this works for gzip/br content, but I will find out.
Now whatever the finding is, I have something to build on.

[ststeiger]

@Tratcher: There was another public one: #10645
unless strainovic works for msft.
Since that issue had no solution, I opened this issue.

[Tratcher]

@ststeiger Thanks, I for got about that one.

[dferretti]

@Tratcher 👋 I'll add one more to the feature request count if I can. I'll try out the example you posted but it would be awesome if it was built in. In AWS using the Network Load Balancers, if you want to see the client's IP and you are registering targets using IP address (as is the case when using Fargate) they suggest enabling Proxy Protocol v2 as well.

[davidfowl]

It doesn't need to be built in. I'd like to see the mileage we get with that sample code before we prioritize it. I don't this this is built into many platform webservers out there.

[gitanuj]

It'll be nice to have this officially supported in .NET Core. We're trying to use Azure Private Link Service with TCP Proxy v2 in some backend services for Azure Cosmos DB and that requires supporting proxy-protocol. For now I'll give this sample a try and see if it works.

[ststeiger]

It works with nginx.
It doesn't work with SSL passthrough in HAproxy, for unknown reason.
Maybe I don't need it in HAproxy when I do SSL passthrough, though.

[ststeiger]

@Tratcher: One more thing: That doesn't work with SSL passthrough in HAproxy.
It works with nginx.
I guess it's a bug or missing-feature somewhere.

Here my HAproxy config, for reproduction:

# /etc/haproxy/haproxy.cfg

# Validate: 
# haproxy -c -V -f /etc/haproxy/haproxy.cfg
# Another way is to 
# sudo service haproxy configtest

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

	

frontend http
    bind *:80
    mode http
    option forwardfor
    # option httpchk /check.cfm
    # use-server  server1 if { hdr(host) -i server1.domain.net }
    # use-server  server2 if { hdr(host) -i server2.domain.net }
    # server server1 localhost:22201 check
    # server server2 localhost:22202 check
    # default_backend nodes
    # redirect scheme https code 301 if !{ ssl_fc }
    
    
    
    # http://192.168.1.2/.well-known/acme-challenge/token.txt
    # http://88.84.21.77/.well-known/acme-challenge/token.txt
    # http://daniel-steiger.ch/.well-known/acme-challenge/token.txt
    # http://henri-bernhard.ch/.well-known/acme-challenge/token.txt
    
    # https://www.haproxy.com/documentation/aloha/12-5/traffic-management/lb-layer7/acls/  
    # For ACLs sharing the same name, the following rules apply:
    # It is possible to use the same <aclname> for many ACLs, even if they do not have the same matching criterion
    # A logical OR applies between all of them
    
    # acl daniel_steiger_ch dst 192.168.1.2
    # acl daniel_steiger_ch dst 88.84.21.77
    
    acl daniel_steiger_ch  hdr(host)     -i 88.84.21.77
    acl daniel_steiger_ch  hdr(host)     -i 192.168.1.2
    
    acl daniel_steiger_ch  hdr(host)     -i daniel-steiger.ch
    acl daniel_steiger_ch  hdr(host)     -m end .daniel-steiger.ch
    
    acl henri_bernhard_ch  hdr(host)     -i henri-bernhard.ch
    acl henri_bernhard_ch  hdr(host)     -m end .henri-bernhard.ch
    
    
    #use_backend http_daniel_steiger_ch if { hdr(host) -i daniel-steiger.ch }
    #use_backend http_daniel_steiger_ch if { hdr(host) -m end .daniel-steiger.ch }
    
    use_backend http_daniel_steiger_ch if daniel_steiger_ch 
    use_backend http_henri_bernhard_ch if henri_bernhard_ch 
    
    
    
    

    
backend http_daniel_steiger_ch
    mode http
    balance roundrobin
    server web0 127.0.0.1:5006
    
    
    
backend http_henri_bernhard_ch
    mode http
    balance roundrobin
    server web0 127.0.0.1:5008
    
    
    
#backend nodes
#    mode http
#    balance roundrobin
#    option forwardfor
#    reqirep ^Host: Host:\ node1.myapp.mycompany.com
#    server web01 node1.myapp.mycompany.com:80
    
# sudo systemctl stop nginx
# sudo systemctl disable nginx

# sudo systemctl enable haproxy
# service haproxy start
# sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg
# service haproxy restart

	
frontend https
    bind *:443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    #tcp-request content accept if { req_ssl_hello_type 1 }

    # https://datamakes.com/2018/02/17/high-intensity-port-sharing-with-haproxy/
    # systemctl restart sshd
    # systemctl disable sshd
    # systemctl enable sshd
    # sudo apt-get install openssh-server
    # sudo systemctl status ssh
    # sudo ufw allow ssh
    # sudo ufw enable
    # sudo ufw status
    # ufw allow 443/tcp
    # ufw allow 8443/tcp
	

	
    
    
    
    # /mnt/sshfs/var/www/.dotnet/corefx/cryptography/crls/
    # sudo apt-get install exfat-utils exfat-fuse

    
    # https://192.168.1.2/.well-known/acme-challenge/token.txt
    # https://88.84.21.77/.well-known/acme-challenge/token.txt
    # http://daniel-steiger.ch/.well-known/acme-challenge/token.txt
    # http://henri-bernhard.ch/.well-known/acme-challenge/token.txt
  
    # https://www.haproxy.com/documentation/aloha/12-5/traffic-management/lb-layer7/acls/  
    # For ACLs sharing the same name, the following rules apply:
    # It is possible to use the same <aclname> for many ACLs, even if they do not have the same matching criterion
    # A logical OR applies between all of them
  
  
  # sequence matters ! 
  
  
    # having these two lines here blocks ssh if use_backend openssh comes afterwards ...
    # also, this fucks up SNI ...
    # acl daniel_steiger_ch dst 192.168.1.2
    # acl daniel_steiger_ch dst 88.84.21.77
    
    acl daniel_steiger_ch req_ssl_sni -i daniel-steiger.ch
    acl daniel_steiger_ch req.ssl_sni -m end .daniel-steiger.ch
    
    acl henri_bernhard_ch req_ssl_sni -i henri-bernhard.ch
    acl henri_bernhard_ch req.ssl_sni -m end .henri-bernhard.ch
    
    
    # wildcard
    use_backend https_daniel_steiger_ch if daniel_steiger_ch
    use_backend https_henri_bernhard_ch if henri_bernhard_ch
    
    
    # use_backend example_int if { req_ssl_sni -i example.int }
    # use_backend example_int if { req_ssl_sni -m end .example.int }

    # use_backend example_int if { req_ssl_sni -i example.int }
    # use_backend foo_int if { req_ssl_sni	 -i foo.int }
    # use_backend bar_int if { req_ssl_sni -i bar.int }

    
# sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg
    
backend https_daniel_steiger_ch
    mode tcp
    balance roundrobin
    server web0 127.0.0.1:5005 # send-proxy-v2
    
backend https_henri_bernhard_ch
    mode tcp
    balance roundrobin
    server web0 127.0.0.1:5007 # send-proxy-v2

backend foo_int
    balance roundrobin
    server web1 127.0.0.1:5005 send-proxy

backend bar_int 
    balance roundrobin
    server web2 127.0.0.1:5005 ##send-proxy