Proxy protocol

Preserve connection information such as the client IP address and port for traffic that goes through your gateway listener.

About proxy protocol

Proxy Protocol is used to ensure that backend services receive the full network information, even when traffic is proxied through other components, such as an AWS Network Load Balancer or the gateway proxy itself. The gateway proxy and backend services can then use this information to apply accurate rate limiting policies, make routing decisions, and properly log and audit traffic. Without proxy protocol, the backend service can only see the IP address of the last proxy that handled the request, which can impact security measures and access control.

Before you begin

  1. Follow the Get started guide to install K8sGateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

    export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
    echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Enable proxy protocol for a listener

  1. Create a ListenerOption resource to enable proxy protocol for the listeners on your gateway proxy. The following example enables proxy protocol on all listeners that are configured on the gateway. To enable proxy protocol for a particular listener, include the spec.targetRefs.sectionName field as described in Option 2: Attach the policy to a particular listener on the gateway (targetRefs.sectionName).

    kubectl apply -f- <<EOF
    apiVersion: gateway.solo.io/v1
    kind: ListenerOption
    metadata:
      name: proxy-protocol
      namespace: gloo-system
    spec:
      targetRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: http
      options:
        proxyProtocol:
          allowRequestsWithoutProxyProtocol: false    
    EOF
  2. Verify that your configuration is applied by reviewing the Envoy configuration.

    1. Port forward the gloo-gateway-http deployment on port 19000.
      kubectl port-forward deploy/gloo-proxy-http -n gloo-system 19000 & 
    2. Open the config_dump endpoint.
      open http://localhost:19000/config_dump
    3. Find the listener filters and verify that proxy protocol is enabled for all of the gateway listeners. You see a listener filter that looks similar to the following.
      "listener_filters": [
        {
         "name": "envoy.filters.listener.proxy_protocol",
         "typed_config": {
          "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
         }
        },

Cleanup

You can remove the resources that you created in this guide.
kubectl delete listeneroption proxy-protocol -n gloo-system