[improve][broker] Support X-Forwarded-For and HA Proxy Protocol for resolving original client IP of http/https requests #22524
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lhotari
force-pushed
the
lh-xff-header-support
branch
from
0a260c2 to
df4e7c9
Compare
lhotari
force-pushed
the
lh-xff-header-support
branch
from
df4e7c9 to
0292dcd
Compare
lhotari
changed the title
…esolving the client IP of http/https requests
lhotari
force-pushed
the
lh-xff-header-support
branch
from
0292dcd to
eed42c6
Compare
Technoboy-
approved these changes
Apr 18, 2024
coderzc
approved these changes
Apr 18, 2024
|
proposal to cherry-pick this to maintenance branches: https://lists.apache.org/thread/9rqh5rmzfcl8lf6rmd1rr6h0t4kp6kpc |
lhotari
force-pushed
the
lh-xff-header-support
branch
from
7df1724 to
62050fd
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #22524 +/- ##
============================================
+ Coverage 73.57% 73.86% +0.28%
- Complexity 32624 33003 +379
============================================
Files 1877 1885 +8
Lines 139502 140185 +683
Branches 15299 15379 +80
============================================
+ Hits 102638 103545 +907
+ Misses 28908 28647 -261
- Partials 7956 7993 +37
Flags with carried forward coverage won't be shown. Click here to find out more.
|
poorbarcode
approved these changes
Apr 19, 2024
mukesh-ctds
pushed a commit
to datastax/pulsar
that referenced
this pull request
Apr 23, 2024
…esolving original client IP of http/https requests (apache#22524) (cherry picked from commit 4a88721) (cherry picked from commit 7d52dd7)
srinath-ctds
pushed a commit
to datastax/pulsar
that referenced
this pull request
Apr 23, 2024
…esolving original client IP of http/https requests (apache#22524) (cherry picked from commit 4a88721) (cherry picked from commit 7d52dd7)
Technoboy-
pushed a commit
to Technoboy-/pulsar
that referenced
this pull request
Apr 24, 2024
…esolving original client IP of http/https requests (apache#22524)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #22512
Motivation
See #22512. In some environments, there's a HTTP reverse proxy in front of Pulsar Proxy or Pulsar Broker and there's a desire to log the actual client IP addresses instead of the reverse proxy's IP address. For this purpose, it's now possible to configure the broker or proxy to trust the value of the X-Forwarded-For header.
X-Forwarded-For support is also useful when Pulsar Proxy is in front of Pulsar Broker. Pulsar Proxy already adds the X-Forwarded-For headers to the request. This change will allow propagating the original client IP from the Pulsar Proxy to the Pulsar Broker as well.
For supporting Layer 4 (TCP) proxies, this PR also includes HA Proxy Protocol v1 and v2 support for resolving the original client IP of http/https requests. This is added to ensure that client IP propagation can be configured in all types of configurations.
In the cloud, HA Proxy Protocol is used in Layer 4 (TCP) proxies such as AWS Classic LB or AWS NLB. X-Forwarded-For/Forwarded headers are used in Layer 7 (http reverse proxy) proxies such as AWS ALB.
Security implications
Enabling
webServiceTrustXForwardedFor=trueorwebServiceHaProxyProtocolEnabled=trueshould be only done in environments where only a trusted proxy and trusted clients that can connect to the server with http/https. In other words, network perimeter security should be in place. The reason for this is that any client can set theX-Forwarded-Forheader or the Proxy Protocol prefix and that value would be logged as the client IP.Modifications
X-Forwarded-Forheader whenwebServiceTrustXForwardedFor=true.webServiceHaProxyProtocolEnabled=true.webServiceLogDetailedAddressesto enable logging detailed remote addresses (original and real) and local addresses (real and original destination).[R:99.22.33.44:1234 via 127.0.0.1:56873]->[L:127.0.0.1:56871 dst 5.4.3.1:4321]is appended to the log entry, such as:2024-04-19T14:59:15,896 - INFO - [prometheus-stats-32-1:RequestLog] - 99.22.33.44 - - [19/Apr/2024:14:59:15 +0300] "GET /metrics/ HTTP/1.1" 200 5061 "-" "Jetty/9.4.54.v20240208" 6 [R:99.22.33.44:1234 via 127.0.0.1:56873]->[L:127.0.0.1:56871 dst 5.4.3.1:4321]Documentation
docdoc-requireddoc-not-neededdoc-complete