nginx-based ssl passthrough support with SNI #2539
Comments
Agree. The issue with that approach is that you lose the source IP address (client). |
|
@r7vme the problem is that using the sni preread feature implies the use of an upstream so you receive a connection from nginx itself Please check https://github.com/kubernetes/ingress-nginx/pull/614/files#diff-b7803798d356c6c17a90d93cc58bdbaaL480 |
I think with "piping" you also receive connection from ingress-controller? That's why PROXY protocol is in place, to keep initial client IP. |
|
In our case, we don't need PROXY support in ingress as we use either ELB or Nginx. Are there are many people using ingress-controller w/o load-balancers in front? Not top priority, but having ability to skip additional layer (Go based proxy) in data path would be great. Unfortunately we still need |
I want to change that but losing the source IP address is a deal breaker. |
Definitely, but i think it's possible to make Go proxy optional for cases, when PROXY protocol enabled on load balancer (ELB, HAProxy). In general, do you think will it work? I can work on PR based on initial implmentation here |
|
I use nginx-ingress without a lb in front. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
@aledbf , but in case of passthrough, you do not touch the original package, so it still contains the HOST header. Isn't this the source of the client IP? |
No, because once we read the TLS sni hello in the stream section we need to send the connection to a nginx upstream and that means NGINX opens a new connection to the upstream server. That's the reason why we lose the source IP address. There is no option to "just" pipe the connection. |
|
I see, I guess the main reason for ssl-passthrough is ssl-client authn. is it that important to keep the client ip? |
Most of the users want this information |
|
I guess then, the only way is proxy protocol. This seems to be a solution .. https://stackoverflow.com/questions/48211083/proxy-protocol-and-ssl |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
At the moment ingress controller implements own proxy for ssl passthrough cases. It runs in own go routine that does three things:
It would be great to have
1and3done by nginx.2is only needed, when your clients going directly to ingress-controller w/o load-balancer and support proxy protocol. Not needed if external load balancer already does PROXY protocol (e.g. AWS ELB and HAProxy).The text was updated successfully, but these errors were encountered: