Add PROXY protocol support for rate limiting behind load balancers#6819
Open
raajheshkannaa wants to merge 1 commit intospiffe:mainfrom
Open
Add PROXY protocol support for rate limiting behind load balancers#6819raajheshkannaa wants to merge 1 commit intospiffe:mainfrom
raajheshkannaa wants to merge 1 commit intospiffe:mainfrom
Conversation
When SPIRE server runs behind a load balancer that does not preserve client IPs, all requests appear to originate from the load balancer, causing per-IP rate limiting to incorrectly throttle all agents as a single client. This adds opt-in PROXY protocol (RFC 5765) support via a new listen_proxy_protocol configuration option. When enabled, the TCP listener is wrapped with a PROXY protocol listener (using github.com/pires/go-proxyproto) so that conn.RemoteAddr() returns the real client IP encoded in the PROXY protocol header. The existing rate limiting middleware requires no changes since it already reads the client IP from the gRPC peer address. The option defaults to false and must be explicitly enabled, since the load balancer and SPIRE server must agree on PROXY protocol usage. Fixes spiffe#6678
raajheshkannaa
requested review from
MarcosDY,
amartinezfayo,
evan2645,
rturner3 and
sorindumitru
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When SPIRE server sits behind a load balancer that doesn't preserve client IPs, per-IP rate limiting treats all agents as one client (the LB IP). This adds opt-in PROXY protocol support so the server can extract real client IPs from the PROXY protocol header.
listen_proxy_protocolconfig option (defaults tofalse)github.com/pires/go-proxyprotowhen enabled, soconn.RemoteAddr()returns the real client IPConfiguration
This must only be enabled when the load balancer is configured to send PROXY protocol headers.
Fixes #6678
Test plan
listen_proxy_protocolin both file config and server config