Envoy using proxy protocol not sending DOWNSTREAM_REMOTE_ADDRESS to upstreams

428 views
Skip to first unread message

Dumitru Gherman-Lad

unread,
Mar 11, 2021, 1:02:22 PM3/11/21
to envoy-users

Hello,

We are seeing an issue with Envoy using proxy protocol not sending DOWNSTREAM_REMOTE_ADDRESS when connecting to other upstreams. On the upstream, the source address in the proxy protocol header appears as Envoy’s IP, and not the downstream remote address as expected. When observed in the Envoy logs, the downstream remote address does show up correctly, but it’s not propagated via proxy protocol to the upstreams.


Envoy versions: both reproducible in 1.16.1 and 1.17.1.

Envoy downstream listener configuration:  

Screen Shot 2021-03-11 at 12.58.28 PM.png

Envoy upstream configuration:

Screen Shot 2021-03-11 at 12.58.42 PM.png

The downstream listener is not using proxy protocol. The upstreams in “core_cluster” are running HAProxy with proxy protocol enabled on their listeners. Changing the proxy protocol version (from V2 to V1) didn’t make a difference.

I confirmed with a tcpdump packet capture running on the Envoy server that the source address in the proxy header is Envoy’s.

Am I missing anything in Envoy’s configuration, or is this a bug?

Thank you!

Matt Klein

unread,
Mar 11, 2021, 7:31:17 PM3/11/21
to Dumitru Gherman-Lad, envoy-users
You are hitting this code: https://github.com/envoyproxy/envoy/blob/e20957c011b11a4f9f935ec7556ed89d1d8c22d7/source/extensions/transport_sockets/proxy_protocol/proxy_protocol.cc#L54-L56

From looking through the history (https://github.com/envoyproxy/envoy/issues/1031https://github.com/envoyproxy/envoy/pull/12762) this was only wired up for tcp_proxy.

I think we could wire this up for HCM also, but it needs a bit of thinking as it only makes sense if we are using a discrete upstream connection for every downstream source IP/port (via hashing) which may lead to huge connection pool explosion depending on the use case. I would recommend opening an issue to discuss?

Thanks,
Matt

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/c0bb5f71-aa4b-4025-bca8-b2d265481408n%40googlegroups.com.

Dumitru Gherman-Lad

unread,
Mar 12, 2021, 12:21:40 PM3/12/21
to envoy-users
Ah, got it. The docs weren't super clear that the implementation is for tcp_proxy only, and not HCM.
Thank you so much Matt for triaging this here!

Reply all
Reply to author
Forward
0 new messages