Proxy protocol
Preserve connection information such as the client IP address and port for traffic that goes through your gateway listener.
About proxy protocol
Proxy Protocol is used to ensure that backend services receive the full network information, even when traffic is proxied through other components, such as an AWS Network Load Balancer or the gateway proxy itself. The gateway proxy and backend services can then use this information to apply accurate rate limiting policies, make routing decisions, and properly log and audit traffic. Without proxy protocol, the backend service can only see the IP address of the last proxy that handled the request, which can impact security measures and access control.
Before you begin
-
Follow the Get started guide to install kgateway, set up a gateway resource, and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
Enable proxy protocol for a listener
-
Create a ListenerOption resource to enable proxy protocol for the listeners on your gateway proxy. The following example enables proxy protocol on all listeners that are configured on the gateway. To enable proxy protocol for a particular listener, include the
spec.targetRefs.sectionName
field as described in Option 2: Attach the policy to a particular listener on the gateway (targetRefs.sectionName
).kubectl apply -f- <<EOF apiVersion: gateway.solo.io/v1 kind: ListenerOption metadata: name: proxy-protocol namespace: gloo-system spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: http options: proxyProtocol: allowRequestsWithoutProxyProtocol: false EOF
-
Verify that your configuration is applied by reviewing the Envoy configuration.
- Port forward the
gloo-gateway-http
deployment on port 19000.kubectl port-forward deploy/gloo-proxy-http -n gloo-system 19000 &
- Open the
config_dump
endpoint.open http://localhost:19000/config_dump
- Find the listener filters and verify that proxy protocol is enabled for all of the gateway listeners. You see a listener filter that looks similar to the following.
"listener_filters": [ { "name": "envoy.filters.listener.proxy_protocol", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol" } },
- Port forward the
Cleanup
You can remove the resources that you created in this guide.kubectl delete listeneroption proxy-protocol -n gloo-system