chproxy icon indicating copy to clipboard operation
chproxy copied to clipboard
verified publisher icon ContentSquare

[BUG] Remote IP is wrong when deployed behind load balancer

Open ank-everstake opened this issue 3 years ago • 4 comments

Describe the bug Chproxy does not support so called PROXY protocol on HTTP when you get client IPs from special headers.

To Reproduce Put Chproxy behind HAproxy, check logs on CHproxy - they will show ip of HAproxy instance as client IP/RemoreAddr.

Expected behavior With HTTP, a proxy can add a Forwarded HTTP header, or the non-standard X-Forwarded-For header or basically we can make it configurable - from which header to get IP. You can set it to X-REAL-IP or CF-connecting-IP .

Screenshots N/A

Environment information

  • Ubuntu 20.04 LTS.
  • We checked Chproxy 1.17.0 and 1.16.3.
  • HAproxy 2.4 and HAproxy 2.6

Additional context If deployed behind load balancer you cannot use ACL which can be used to limit clients by IP, so it is a big feature set decrease.

ank-everstake avatar Aug 30 '22 07:08 ank-everstake

I have a few questions to understand your pb:

  • why can HAproxy use ACL on client IPs since on it side it sees the real IPs?
  • can't you use CHProxy user limits for what you want (like the max_concurrent_queries)?

mga-chka avatar Aug 30 '22 08:08 mga-chka

It would be strange as mapping is defined in Chproxy, and it would clobber configs if we would disperse logic for clients across different services. Also, we have seen in Readme:

Prepends User-Agent request header

so Chproxy is already doing some part of parsing and thinking about backends and monitoring. It is time do it in reverse order)

From our perspective Chproxy as a balancer needs to leverage this as it is a common feature for load balancers.

ank-everstake avatar Aug 30 '22 13:08 ank-everstake

It's your lucky day! There is a new member in the team that manages chproxy and he will start with this task. I can't say how long it will take but at least your issue will be done, so you don't have to be worry about your PoC/PR. We might need you once the task is over so that you can validate everything works as expected.

mga-chka avatar Sep 06 '22 07:09 mga-chka

I opened a PR to address this issue. However, the PR (see: #225) does raise some questions. I hope to cover at least the most common use cases with the PR, but especially with custom headers it can be hard to support all use cases without the ability to allow users of CHProxy to create e.g. custom middleware.

Blokje5 avatar Sep 11 '22 13:09 Blokje5

FYI the new v1.19.0 contain the feature you asked for. If it doesn't work as expected, feel free reopen the issue

mga-chka avatar Oct 23 '22 08:10 mga-chka