Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation of PROXY protocol V1 #4600

Merged
merged 3 commits into from
Sep 2, 2024
Merged

Implementation of PROXY protocol V1 #4600

merged 3 commits into from
Sep 2, 2024

Conversation

renecannao
Copy link
Contributor

@renecannao renecannao commented Aug 7, 2024
edited
Loading

The current commit introduces:

  • class ProxyProtocolInfo() , that:
    • performs parsing
    • validates subnet
    • run automated tests in DEBUG build
  • variable mysql-proxy_protocol_networks . Accepted values:
    • empty string: disables PROXY protocol
    • '*' : allows connections from any IP
    • comma separated list of subnets
  • automated testing in DEBUG build during start
  • export of PROXY protocol information in internal session, using PROXY_V1
  • a TAP test to verify various connections

TODO:

  • better error handling , or warning generation
  • automated testing with haproxy and PROXY protocol enabled
  • more testing

Implementation of PROXY protocol V1
d85430b 
This commit introduces:
- class ProxyProtocolInfo() , that:
  - performs parsing
  - validates subnet
  - run automated tests in DEBUG build
- variable mysql-proxy_protocol_networks . Accepted values:
  - empty string: disables PROXY protocol
  - '*' : allows connections from any IP
  - comma separated list of subnets
- automated testing in DEBUG build during start
- export of PROXY protocol information in internal session, using PROXY_V1
- a TAP test to verify various connections
@renecannao renecannao marked this pull request as draft August 7, 2024 21:48
@renecannao
Copy link
Contributor Author

retest this please

@renecannao
Copy link
Contributor Author

Documentation draft:

ProxySQL PROXY Protocol Support Documentation

This document outlines the new PROXY protocol support in ProxySQL. It provides information on how to enable and configure the protocol, its functionalities, and potential use cases.

Introduction

The PROXY protocol is a simple mechanism for transparently forwarding client IP addresses through a network load balancer. It allows applications behind a network load balancer to identify the original client's IP address, even if the connection is made through a network load balancer. ProxySQL now supports the PROXY protocol version 1, which is suitable for database environments.

Version 2 of the PROXY protocol enhances version 1 but it provides a lot of features that while commonly used in web environments, are not suitable for database environments.

Enabling PROXY Protocol Support

To enable PROXY protocol support in ProxySQL, you need to configure the mysql-proxy_protocol_networks global variable. This variable accepts the following values:

  • empty string: Disables PROXY protocol support. This is the default setting.
  • '*': Enables PROXY protocol support for connections from any IP address.
  • comma-separated list of subnets or IP addresses: Enables PROXY protocol support for connections originating from the specified subnets or IP addresses.

Example:

To enable PROXY protocol support for connections from the subnet 192.168.1.0/24 and the IP address 10.0.0.1, you would set the following:

mysql-proxy_protocol_networks = "192.168.1.0/24,10.0.0.1"

Note: The subnet notation should follow standard CIDR notation (e.g., 192.168.1.0/24).

How ProxySQL Handles PROXY Protocol

When a connection arrives at ProxySQL, it checks for the PROXY protocol header. If the header is detected and the network load balancer IP address matches the configured mysql-proxy_protocol_networks, ProxySQL extracts the client IP address and port from the header and uses it for:

  • Query rules: The client IP address is used to evaluate query rules, allowing for IP-based rules for caching, rewrite, routing, filtering, etc

  • Processlist: The client IP address and port are displayed in the processlist, providing accurate information about the originating client.

  • Auditing: If auditing is enabled, the client IP and port are reported in the log

  • Query logging: If query logging is enabled, the client IP and port are reported in the log

  • Query statistics: In stats_mysql_query_digest , the client IP will be reported

  • Database access control: You can use PROXY protocol to restrict access to your database based on client IP addresses. For example, you could configure ProxySQL to only allow connections from specific subnets.

  • Performance monitoring: You can use PROXY protocol to track the origin of database connections, allowing you to identify potential bottlenecks or performance issues related to specific clients.

  • Security auditing: You can use PROXY protocol to log and audit database access based on the original client IP address.

Conclusion

The PROXY protocol support in ProxySQL provides a valuable mechanism for managing and securing database connections. It allows you to transparently forward client IP addresses, enabling advanced features like IP-based access control and performance monitoring. By configuring the mysql-proxy_protocol_networks variable, you can easily enable PROXY protocol support and leverage its benefits for your database environment.

Further Information:

@renecannao renecannao changed the base branch from v2.x to v2.7 September 2, 2024 14:13
@renecannao
Copy link
Contributor Author

retest this please

@renecannao renecannao marked this pull request as ready for review September 2, 2024 19:59
@renecannao renecannao merged commit 3835029 into v2.7 Sep 2, 2024
51 of 52 checks passed
@noahwilliamsson noahwilliamsson mentioned this pull request Sep 4, 2024
Closed
@jesmarcannao jesmarcannao mentioned this pull request Sep 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renecannao