Percona Server moved to https://jira.percona.com/projects/PS

Proxy protocol support

Registered by Laurynas Biveinis on 2015-06-02

https://github.com/percona/percona-server/pull/92

Add proxy protocol support to the server. The proxy protocol allows an intermediate proxying server between the server and the ultimate client (i.e. HAProxy) to provide the source client address to the server, which normally would only see the proxying server address instead. The correct source client address then might be used in mysql.user for access control, provide more exact information for the error log, audit plugins etc.

As the proxy protocol amounts to spoofing the client address, it is disabled by default, and can be enabled on per-host or per-network basis for the trusted source addresses where trusted proxy servers are known to run.

The option is a global-only, read-only variable proxy-protocol-networks, which is either a '*' (to enable proxying globally), either a list of comma-separated IPv4 and IPv6 network and host addresses, for which proxying is enabled. Network addresses are specified in CIDR notation, i.e. 192.168.0.0/24.

Only TCP/IPv4 and TCP/IPv6 are supported. UNIX socket (and strictly speaking Windows named pipe) connections can not be proxied and do not fall under the effect of proxy-protocol-networks='*'.

As a special exception, it is forbidden for the proxied IP address to be 127.0.0.1 / ::1.

The protocol specification is at http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt.
The implementation is based on a patch developed by Thierry Fournier.

Blueprint information

Status:: Complete

Approver:: Laurynas Biveinis

Priority:: Medium

Drafter:: Laurynas Biveinis

Direction:: Approved

Assignee:: Laurynas Biveinis

Definition:: Approved

Series goal:: Accepted for 5.6

Implementation:: Implemented

Milestone target:: 5.6.25-73.0

Started by: Laurynas Biveinis on 2015-06-18

Completed by: Laurynas Biveinis on 2015-06-25

Related branches

Related bugs

Sprints

Whiteboard

Only a very small part of functionality is covered by MTR (option parsing and unproxied connection rejection on a proxied source address). I have considered adding support for writing proxy headers to libmysqlclient and then making use of this in mysqltest, but rejected this as libmysqlclient would be forced to carry this testing code, which has very limited use. Thus, this needs system level tests:

For both ipv4 and ipv6:
1) proxied connections are accepted on proxied source address;
2) proxied connections are not accepted on an unproxied source address;
3) unproxied connections are not accepted on an proxied source address;
4) mysql.user containing user@foo and user@bar with different permissions, where foo = proxy ip, bar = real source ip. Verify that server treats a connecting user as user@bar and not user@foo correctly.
5) verify that the server error log and audit log entries show the correct ip where appropriate.
6) the proxy host IP is not subject to max_connect_errors but the proxied IPs are.

For docs (dbusby): Documentation to reflect concerns in
implementation aka ability to shoot self in foot

   we can note in the documentation concerns over the need to ensure
   proper firewall ACL's in place for the feature along with /32 being
   a single host etc.

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.