Change 'proxy_protocol' default mode and behavior #31622
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AntonAM
force-pushed
the
anton/proxy-protocol-defaults
branch
5 times, most recently
from
613f15f
to
d1138ad
Compare
Now by default `proxy_protocol` is unspecified and in that mode we don't allow IP pinned connections and mark incoming conection with setting source port = 0. 'on' mode now requires PROXY header.
AntonAM
force-pushed
the
anton/proxy-protocol-defaults
branch
from
d1138ad
to
56cb383
Compare
github-actions
bot
added
database-access
tigrato
reviewed
Sep 11, 2023
AntonAM
force-pushed
the
anton/proxy-protocol-defaults
branch
from
ca31d22
to
2378999
Compare
There cases when Telelport will call itself and it can go directly, avoiding load balancer, so connection will not have unsigned PROXY header.
AntonAM
force-pushed
the
anton/proxy-protocol-defaults
branch
from
2378999
to
6ac57d8
Compare
capnspacehook
approved these changes
Sep 12, 2023
jentfoo
approved these changes
Sep 12, 2023
r0mant
reviewed
Sep 12, 2023
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
r0mant
approved these changes
Sep 12, 2023
public-teleport-github-review-bot
bot
removed the request for review
from ravicious
tigrato
approved these changes
Sep 12, 2023
lib/authz/permissions.go
Outdated
| @@ -336,6 +336,10 @@ var ErrIPPinningMissing = trace.AccessDenied("pinned IP is required for the user | |||
| // ErrIPPinningMismatch is returned when user's pinned IP doesn't match observed IP. | |||
| var ErrIPPinningMismatch = trace.AccessDenied("pinned IP doesn't match observed client IP") | |||
|
|
|||
| // ErrIPPinningNotAllowed is returned when user's pinned IP doesn't match observed IP. | |||
| var ErrIPPinningNotAllowed = trace.AccessDenied("IP pinning is not allowed for connections behind L4 load balancers with " + | |||
| "PROXY protocol enabled without explicitly setting 'proxy_protocol: on' in the proxy_service or auth_service config.") | |||
There was a problem hiding this comment.
Should it be proxy_service and auth_service config?
There was a problem hiding this comment.
Depends on the client setup, if there's another LB between Proxy and Auth then it can be both, although usually I think it will be only one. I'll make it and/or.
This was referenced Sep 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now by default
proxy_protocolis working in 'unspecified' mode and in that mode we mark incoming connection with setting source port = 0 and don't allow IP pinned connections (based on port = 0).Also
onmode now requires PROXY header.Implements RFD146 https://github.com/gravitational/teleport-private/pull/991