Hi,
I have a problem that I don't know how to
resolve. It is very appreciated if anyone could share some thought on how to
resolve it.
Scenario:
I have an ELB setup in AMS cloud, there are two
apache servers (2.4.4) behind the ELB, act as gateway, the apache servers is
listing to port 443 which is a HTTPS port, ELB is setup with TCP/SSL, when a
request comes in to ELB, ELB will forward it to apache servers, and apache
servers will forward it to down stream servers with proxypass
directive.
Issue:
There is an issue in this setup, the ELB is
stopping the down stream server to get source IP address of the request, what
apache server can see is the message is coming from ip addresses of ELB
instances, not the actual sender's ip address. I can not change the ELB to use
HTTP/HTTPS and take advantage of the "X-Forward-" headers, because the special
mutual authentication I need for the apache instances. The ELB of AWS support
a TCP protocol called "Proxy Protocol v1" which is able to forward the source
ip address to apache.
Proxy Protocol:
Proxy Protocol is a protocol for TCP/SSL load
balancer to carry source IP address information and forward to down stream
servers, the message with a HTTP GET request would looks like:
PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
GET / HTTP/1.1\r\n
Host: 192.168.0.11\r\n
\r\n
Basically this protocol add a new line after
the TCP headers and before the body.
For HTTPS it is more complex, I imagine the
message for HTTPS would looks like:
PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
<Encrypted binary>
Here is the link to the protocol:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
Question:
Obviously this new line before the request body will cause SSL and other module fail, how we going to support this "Proxy Protocol" ?
Thanks
JJ