akka-http tcp proxy protocol support

322 views
Skip to first unread message

Julian Howarth

unread,
Oct 5, 2015, 12:50:03 PM10/5/15
to Akka User List

Are there any plans to add proxy protocol support for akka-http? If not, how difficult would it be  to manually configure in support via a flow/stage?


The reason we needed is specific but possibly not uncommon:


 - we currently use akka-http to provide a websocket api which works very well

 - we deploy on AWS 

 - we use an AWS Elastic load balancer to distribute traffic to our websocket instances


The above all works without issue, but we now need to identify the IP addresses that the websocket connections originate from. 


For HTTP(S) connections, AWS ELB adds an X-Forwarded-For header which is already supported in akka-http. However, in order to use AWS ELB for websocket connections, the ELB needs to be configured to listen using TCP rather than HTTP which means there is no X-Forwarded-For header and instead the proxy protocol is used.


We already have a stateful stage that manages the proxy protocol for our TCP connections but what I need some guidance with is how to use that when using the HTTP bindings. Any ideas?


Thanks,


Julian

Johannes Rudolph

unread,
Oct 6, 2015, 10:46:40 AM10/6/15
to Akka User List
Hi Julian,

see scaladsl/Http.scala for all the glue code between TCP and HTTP. The hard thing will be getting the metadata from the proxy implementation into the requests but I guess putting it in a @volatile var after reading it and mapping each request would make for a simple solution.

In case you get this done, I guess your PROXY implementation and its integration with HTTP would make a nice PR ;)

HTH
Johannes

Julian Howarth

unread,
Oct 6, 2015, 11:49:42 AM10/6/15
to Akka User List
Thanks Johannes,

I'll start having a dig through and see where I get to. No doubt more questions will follow. Certainly happy to contribute it back when it's working.

Julian

Carlos Fau

unread,
Jan 15, 2016, 10:12:22 AM1/15/16
to Akka User List
Hi Julian,

Did you do any improvement on this?

Thanks,

Carlos

Julian Howarth

unread,
Jan 17, 2016, 5:47:23 AM1/17/16
to Akka User List
The reason we wanted to do this was to be able to whitelist ip addresses, only allowing access from them. After some thought, I'm afraid we decided to cheat and stuck an nginx proxy in front of our instances which does the blocking for us (we already used it for rate-limiting). We may revisit in the future as doing the ip whitelisting inside the application would be preferable but just not in the short term.

Sorry,

Julian
Reply all
Reply to author
Forward
0 new messages