1

How can one parse the PROXY protocol version 2 header and use the parsed values to select a backend?

Specifically, I am making a connection from one AWS account to another using a VPC PrivateLink endpoint with PROXY v2 enabled. This includes the endpoint ID according to the docs.

The Proxy Protocol header also includes the ID of the endpoint. This information is encoded using a custom Type-Length-Value (TLV) vector as follows.

My goal is to connect from a resource A in account 1 to a resource B in account 2. The plan is resource A -> PrivateLink -> NLB (with PROXY v2 enabled) -> HAProxy -> resource B.

I need to detect the VPC PrivateLink endpoint ID in the HAProxy frontend to select the correct backend. How can this be done? I'm not clear on how to call a custom parser in the HAProxy configuration, or if this is even possible? Is it? If so, how can this be done?

Reason I can't just use source IP: It is possible for private IP spaces to overlap in my architecture. There will be several accounts acting as account 1 in the example above, so I have to do destination routing based on the endpoint ID rather than the source IP exposed by the PROXY usage.

Examples

Not good

This is our current scenario. In it, two inbound connections from different VPC's having the same private IP address space cannot be distinguished.

frontend salt_4506_acctA_front
        bind 10.0.1.32:4506 accept-proxy
        mode tcp
        default_backend salt_4506_acctA_back

backend salt_4506_acctA_back
        balance roundrobin
        mode tcp
        server salt-master-ecs 192.168.0.88:32768

If we need to route connections for acctB's VPC using the same IP, there would be no way to distinguish.

Ideal

An ideal solution would be to modify this to something like the following (though I recognize this is won't work; it is just pseudo-configuration).

frontend salt_4506_acctA_front
        bind *:4506 accept-proxy if endpointID == vpce-xxxxxxx1
        mode tcp
        default_backend salt_4506_acctA_back

backend salt_4506_acctA_back
        balance roundrobin
        mode tcp
        server salt-master-ecs 192.168.0.88:32768

Any other options in place of HAProxy for destination routing based on the endpoint ID are also acceptable, but HAProxy seemed like the obvious candidate.

theherk
  • 6,954
  • 3
  • 27
  • 52

1 Answers1

1

Looks like AWS use the "2.2.7. Reserved type ranges" as described in https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt therefore you will need to parse this part by your own.

This could be possible in lua, maybe I'm not an expert in lua, yet ;-)

Aleksandar
  • 2,442
  • 3
  • 15
  • 24
  • I'm having trouble understanding where lua comes into the picture. I see several ways to parse the header contents, but not how to incorporate this into the HAProxy configuration. – theherk Jan 12 '18 at 01:07
  • Well the proxy protocol is before any http header so you will need to take a look if it's possible to intercept this step. – Aleksandar Jan 12 '18 at 13:53
  • I was referring to the PROXY header not the HTTP header. It seems HAProxy should be able to extract the TLV's and provide matching in ACL's. – theherk Jan 12 '18 at 17:31
  • Well afaik isn't there a fetch method for that. Contribution is welcome. – Aleksandar Jan 12 '18 at 21:06
  • I would certainly consider contribution once I have a full account of what is possible and fully understand what shape that contribution would take, but I still feel like I may be overlooking the detail required. Basically I'd like to see the ability to use `acl vpce tlv(0xEA) -m end v-1234`. – theherk Jan 15 '18 at 16:11
  • 1
    I have requested on the mailing list of haproxy if this is possible. https://www.mail-archive.com/haproxy@formilux.org/msg28713.html – Aleksandar Jan 15 '18 at 16:26