Preserve source ip of external TCP service (proxy-protocol)

gmv · January 6, 2023, 2:39pm

Hi, I would like to configure envoy to preserve source ip of the connection into the cluster.
Using managed Kubernetes (AKS) with Azure Loadbalancer, versions:
Istio: 1.16.1
Envoy: 1.24.2-dev

As a single ingressgateway handles HTTPS/TCP traffic, Envoyfilter configuration looks like:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol
  namespace: istio-system
spec:
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: proxy_protocol
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
            allow_requests_without_proxy_protocol: true
        - name: tls_inspector
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector"
  workloadSelector:
    labels:
      istio: ingressgateway

IstioOperator ingressgateway is set as a Daemonset, with externalTrafficPolicy Local

ingressGateways:
    - enabled: true
      k8s:
        overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istio-ingressgateway
          patches:
          - path: kind
            value: DaemonSet
          - path: spec.strategy
          - path: spec.updateStrategy
            value:
              rollingUpdate:
                maxUnavailable: 1
        service:
          externalTrafficPolicy: Local

Source of the traffic is clients using proxy-protocol, while destination is RabbitMQ server inside the cluster. The aim is to show connection origins in management UI.
Azure Loadbalancer preserves client ip, however currently only istio-ingressgateway pod ip is shown, but not IP of origin.
Do you have any advice what should be checked/modified?
Thank you

kiran_patil · April 13, 2023, 1:59pm

@gmv Are you able to figure out anything, I am also stuck on same issue

klarose · April 13, 2023, 2:20pm

IIRC RabbitMQ supports proxy protocol, right? So you just need to foward the proxy protocol to rabbitmq.

I’ve been working with upstream proxy protocol forwarding for the last few months. It is possible, but there are a few snags.

That said, a community member recently stepped up and submitted a PR to fix the problem, so hopefully a new release will make it simple.

In the meantime, I’ve documented a workaround here

The TL;DR of the workaround is the grab the cluster definition you’d normally use using istioctl. Then, 1. modify it to add the proxy protocol,
2. Add it to isitio with a new cluster name (e.g. original-cluster-pp) using an EnvoyFilter
3. Modify the virtual service to point to the new cluster.

Topic		Replies	Views
How to preserve TCP client IP over istio ingress gateway Networking	6	1117	April 18, 2023
Istio proxy protocol does not work for tcp stream on EKS Networking	0	1304	July 19, 2020
Preserving TCP client source IP Networking	5	2841	August 13, 2020
Proxy ingress traffic to a specific pod Networking	0	1384	April 21, 2022
Original source ip address of client	0	995	February 15, 2023

Preserve source ip of external TCP service (proxy-protocol)

Related Topics