akka-http tcp proxy protocol support

閲覧: 315 回
最初の未読メッセージにスキップ

Julian Howarth

未読、
2015/10/05 12:50:032015/10/05
To: Akka User List

Are there any plans to add proxy protocol support for akka-http? If not, how difficult would it be  to manually configure in support via a flow/stage?


The reason we needed is specific but possibly not uncommon:


 - we currently use akka-http to provide a websocket api which works very well

 - we deploy on AWS 

 - we use an AWS Elastic load balancer to distribute traffic to our websocket instances


The above all works without issue, but we now need to identify the IP addresses that the websocket connections originate from. 


For HTTP(S) connections, AWS ELB adds an X-Forwarded-For header which is already supported in akka-http. However, in order to use AWS ELB for websocket connections, the ELB needs to be configured to listen using TCP rather than HTTP which means there is no X-Forwarded-For header and instead the proxy protocol is used.


We already have a stateful stage that manages the proxy protocol for our TCP connections but what I need some guidance with is how to use that when using the HTTP bindings. Any ideas?


Thanks,


Julian

Johannes Rudolph

未読、
2015/10/06 10:46:402015/10/06
To: Akka User List
Hi Julian,

see scaladsl/Http.scala for all the glue code between TCP and HTTP. The hard thing will be getting the metadata from the proxy implementation into the requests but I guess putting it in a @volatile var after reading it and mapping each request would make for a simple solution.

In case you get this done, I guess your PROXY implementation and its integration with HTTP would make a nice PR ;)

HTH
Johannes

Julian Howarth

未読、
2015/10/06 11:49:422015/10/06
To: Akka User List
Thanks Johannes,

I'll start having a dig through and see where I get to. No doubt more questions will follow. Certainly happy to contribute it back when it's working.

Julian

Carlos Fau

未読、
2016/01/15 10:12:222016/01/15
To: Akka User List
Hi Julian,

Did you do any improvement on this?

Thanks,

Carlos

Julian Howarth

未読、
2016/01/17 5:47:232016/01/17
To: Akka User List
The reason we wanted to do this was to be able to whitelist ip addresses, only allowing access from them. After some thought, I'm afraid we decided to cheat and stuck an nginx proxy in front of our instances which does the blocking for us (we already used it for rate-limiting). We may revisit in the future as doing the ip whitelisting inside the application would be preferable but just not in the short term.

Sorry,

Julian
全員に返信
投稿者に返信
転送
新着メール 0 件