PROXY protocol revisited

Federico Schwindt fgsch at lodoss.net
Sun Nov 16 19:24:40 CET 2014


Hi,

I think it makes sense to make PROTO optional, falling back to current
behavior if not present.

Since proxy also supports IPv6 we should consider using brackets around the
address for IPv6, e.g. proxy@[2001:67c:2804:1001::c21f:279b]:8081

Regarding logging, your suggestion makes sense to me.

Salute.

On Tue, Nov 11, 2014 at 4:41 PM, Dag Haavi Finstad <
daghf at varnish-software.com> wrote:

> Hi guys
>
> I've been looking into implementing the PROXY protocol[1] for Varnish
> 4. This has been discussed several times before, in particular it
> seems some consensus was found at VDD13Q4 in Berlin last year [2].
> This was regarding the interface in terms of specifying the listening
> socket (-a) and the VCL *.ip bits. I was not present at this VDD
> myself, so I'd just like to discuss and perhaps get some verification
> as to what was agreed.
>
> As for the -a listening argument, this ties into how it should be
> handled for HTTP/2. From reading the notes, the agreed upon syntax was
>
>   -a PROTO at IP:0
>
> Is the PROTO@ part mandatory, or is there a fallback when it's left
> out (e.g. plain old '-a :80')? I think it makes most sense to have the
> fallback value be HTTP/1.1 that also supports HTTP/2 via Upgrade [3].
>
> If we are also going to have a way of specifying the protocol to be
> exclusively HTTP/1 or HTTP/2 [4], we could use values 'http1' and
> 'http2' to denote that.
>
> Further, a PROXY protocol listen socket is specified like this:
>   -a proxy at 192.168.1.10:8081
>
> The PROXY implementation will hand over to the HTTP/1 FSM after
> processing the PROXY header. From my understanding the PROXY protocol
> is not specified for HTTP/2, so the connection here must stick with
> HTTP/1. Also, any incoming request on this interface not containing a
> valid PROXY header must be rejected.
>
> As for the VCL bits, I'm very happy with what was agreed upon at
> VDD13Q4 (local.ip, remote.ip, client.ip, server.ip).
>
> I don't see any mention of logging having been discussed, but I think
> it makes sense to have SessOpen use local.ip/remote.ip, while ReqStart
> should use server.ip/client.ip. varnishncsa will then use client.ip
> for logging the client host (%h).
>
> Opinions, input, comments?
>
> [1]: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
> [2]: https://www.varnish-cache.org/trac/wiki/VDD13Q4#PROXY
> [3]: https://tools.ietf.org/html/draft-ietf-httpbis-http2-15#section-3.2
> [4]: https://tools.ietf.org/html/draft-ietf-httpbis-http2-15#section-3.4
>
> --
> Dag Haavi Finstad
> Software Developer | Varnish Software
> Mobile: +47 476 64 134
> We Make Websites Fly!
>
> _______________________________________________
> varnish-dev mailing list
> varnish-dev at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20141116/d6ffb908/attachment.html>


More information about the varnish-dev mailing list