Implement Proxy Protocol using Istio

Networking
1

Hello Everyone,

We have Kubernetes and Microservices setup on our bare metal servers. As external load balancer we have HAProxy and inside Kuberentes we are using Istio (Istio version: 1.14.1).
For external applications, we are off-loading our application’s Certificates into Istio Gateway.

So for external applications, client request flow is, request is coming to HAProxy then to Istio Gateway (which off-loads the SSL) and then it goes to Application specific pod using Istio virtual service routing.

We have a requirement that we need to log our client’s IP and Port in our application. After searching for a solution we found that we need to use Proxy Protocol in HAProxy and Istio. HAProxy sets the client IP and Port into Proxy Protocol TCP header and Istio should read that TCP header and give us values in http request header (because SSL is offloaded into Istio Gateway).
Hence we applied this way and it worked as per the documentation. Details of implementation are as below:

  1. Enable Proxy Protocol in HAProxy: Load Balancing | Client IP preservation | Enable the Proxy Protocol | HAProxy Enterprise 2.5r1

    We have configured “send-proxy-v2” parameter in HAProxy backend (inside “Per server pass thru” parameter)

  2. Configure Istio Gateway to accept Proxy Protocol: Istioldie 1.13 / Configuring Gateway Network Topology

    As per the documentation, we have configured below EnvoyFilter:
    apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
    name: proxy-protocol
    namespace: istio-system
    spec:
    configPatches:
    - applyTo: LISTENER
    patch:
    operation: MERGE
    value:
    listener_filters:
    - name: envoy.filters.listener.proxy_protocol
    - name: envoy.filters.listener.tls_inspector
    workloadSelector:
    labels:
    istio: ingressgateway

Now Istio Gateway is getting Client IP using Proxy Protocol and setting X-Forwarded-For and X-Envoy-External-Address HTTP headers which contains client IP address and we can read this header into our application (running inside application pod).

After above implementation we have got client IP address but still we did not get client Port. And we do not see any documentation do achieve the same.

Can anyone please help us to get client Port using proxy protocol implementation inside Istio/Envoy?

1 Like
2

logging true client IP for a reverse proxy was never the story. therefore x-forwarded-for never contains ports.
and to tell the truth the ports are not important. they are ephemeral ports. The client connects to port 443 and that’s the important info. the istio GW will terminate the TLS and will redirect the request (via virtualservice) to some pod. why do you need to know the client source port for ?
I believe you can put the source port on some custom HTTP header in the HA-proxy. istio will pass it AS IS.

1 Like
3

Could you share example please?