0

Running a [FIX][1] server behind a AWS load balancer, The Load balancer is located outside the application VPC.

Need to allow/dissalow connections based on client IP.

As client connection are through load balancer, only the load balancer IP is visible to the application. In order to get the client IP have tried below options,

  1. Enable IP preservation in load the balancer
  2. Enable proxy protocol in the load balancer

#1 didn't work as the load balancer is outside the application VPC. #2 Able to deliver the IP information but it requires application support.

Is there any other options available?

if not, how can i support proxy protocol for Java FIX application (written using qucikfixj)

[1]: https://www.onixs.biz/fix-protocol.html#:~:text=The%20Financial%20Information%20eXchange%20(FIX,entities%20including%20trade%20allocation%2C%20order

Rimash Mohomed
  • 143
  • 1
  • 12
  • Don't have any experience with AWS but did you look at QFJ's proxy settings? – Christoph John May 26 '22 at 20:09
  • @ChristophJohn Found `SocketAcceptProtocol` and possible values for the configuration are SOCKET, VM_PIPE and PROXY. Did try the configuration with PROXY and there was no difference( I am not sure whether the configuration is related to proxy protocol or not) And noticed certain methods doesnt handle `PROXY` in ProxyFactory [https://github.com/quickfix-j/quickfixj/blob/895224da1a05055bc99d936920d1e1ed7edc9935/quickfixj-core/src/main/java/quickfix/mina/ProtocolFactory.java] – Rimash Mohomed May 28 '22 at 19:37
  • OK, back to your original question. What means "#2 Able to deliver the IP information but it requires application support.". Are you able to establish connections with this configuration? If yes, what is the open problem? Thanks. – Christoph John May 30 '22 at 09:26
  • Enabled proxy protocol in AWS load balancer (where the original client IP is masked) and able to establish connection with proxy protocol header information, which is captured using a tcpdump and extracted using wireshark. Now the open problem is to read the proxy protocol from the FIX server. as the fix connection is created using quickfixj library, is there any way to config the library to read the proxy protocol header – Rimash Mohomed May 30 '22 at 21:53
  • 1
    So when you establish the connection with QFJ it only recognizes the masked IP? There is no config way to do it but maybe you could create a MINA filter that provides this information. Maybe there even already is such a filter. Am not very familiar with the proxy stuff. – Christoph John May 31 '22 at 07:21
  • Yes it identifies the masked IP even when there the original IP information available in proxy headers, This is the protocol referring to https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt – Rimash Mohomed May 31 '22 at 09:34
  • 1
    I searched around a little. I could imagine that you could add this functionality as a MINA filter based on this: https://gist.github.com/codingtony/a8684c9ffa08ad56899f94d3b6c2a040 You then would need to add the filter to the QFJ filter chain. This *could* work. Never tested this myself. But if it worked it would be good to contribute it to the QFJ code base. – Christoph John May 31 '22 at 14:16
  • 1
    thanks for the directions, will try and update – Rimash Mohomed May 31 '22 at 14:44
  • @ChristophJohn It worked. Preparing a PR for quickfixj – Rimash Mohomed Jun 07 '22 at 21:29

0 Answers0