We have Kubernetes and Microservices setup on our bare metal servers. As external load balancer we have HAProxy and inside Kuberentes we are using Istio (Istio version: 1.14.1).
For external applications, we are off-loading our application’s Certificates into Istio Gateway.
So for external applications, client request flow is, request is coming to HAProxy then to Istio Gateway (which off-loads the SSL) and then it goes to Application specific pod using Istio virtual service routing.
We have a requirement that we need to log our client’s IP and Port in our application. After searching for a solution we found that we need to use Proxy Protocol in HAProxy and Istio. HAProxy sets the client IP and Port into Proxy Protocol TCP header and Istio should read that TCP header and give us values in http request header (because SSL is offloaded into Istio Gateway).
Hence we applied this way and it worked as per the documentation. Details of implementation are as below:
Enable Proxy Protocol in HAProxy: Load Balancing | Client IP preservation | Enable the Proxy Protocol | HAProxy Enterprise 2.5r1
We have configured “send-proxy-v2” parameter in HAProxy backend (inside “Per server pass thru” parameter)
Configure Istio Gateway to accept Proxy Protocol: Istioldie 1.13 / Configuring Gateway Network Topology
As per the documentation, we have configured below EnvoyFilter:
- applyTo: LISTENER
- name: envoy.filters.listener.proxy_protocol
- name: envoy.filters.listener.tls_inspector
Now Istio Gateway is getting Client IP using Proxy Protocol and setting X-Forwarded-For and X-Envoy-External-Address HTTP headers which contains client IP address and we can read this header into our application (running inside application pod).
After above implementation we have got client IP address but still we did not get client Port. And we do not see any documentation do achieve the same.
Can anyone please help us to get client Port using proxy protocol implementation inside Istio/Envoy?