How to enable PROXY protocol for Istio ingress gateway

I am running Istio ingress gateway behind an AWS classic ELB. I’d like to enable PROXY protocol support on Istio ingress gateway. Does anyone have pointers on how to do that with Istio?

1 Like

Hi,

Istio is currently not supporting Proxy Protocol.

Using Digital Ocean, I have the same issue like you have with AWS.

There is a pull request, waiting for review for a while. But recently not much happend there.


Leave a comment there and subscribe to the task, so it gets more attention.

In the meanwhile I’m also looking for workarounds to get the user’s client IP.

Without the use of Proxy Protocol I currently see no way to use Istio in production. In my case SSL termination happens at the Istio Gateway. And Istio Gateway only sees the IP of my LoadBalancer.
And I can’t add any header to the packet before SSL Termination by an additional service, that supports Proxy Protocol.

That PR has been closed and within the comments are the solution to getting proxy protocol enabled already in Istio.

First, proxy protocol needs to be enabled on the ELB: https://github.com/istio/istio/pull/12748#issuecomment-576491574

Then, an EnvoyFilter needs to be added to enable it within Istio: https://github.com/istio/istio/pull/12748#issuecomment-576488018

I haven’t tried it myself yet, but figured I’d update this thread since it was the result that came up when I googled for the same thing.

1 Like