[Maria-developers] Adding "proxy protocol" support to MariaDB
Hi! As you may know, the proxy protocol [1,2] is a way to communicate a client's IP address to a backend server sitting behind a proxy front-end. It is the equivalent of the X-Forwarded-For HTTP header, but done at Layer 4. This protocol was originally proposed by one of the HAProxy developers and its support is becoming more widespread. Percona, Amazon AWS, HAProxy, NGINX, and others. Mariadb's Jira shows an unassigned feature request for it, but with no one apparently assigned to it [3]. Percona supports proxy protocol [4]. For the configuration part, Percona defines a global variable that gives the IP address of the proxy front-ends that are authorized to send a proxy protocol header. Percona's handler code for the proxy protocol (minus the global variable handling) is in the vio/viosockets.c file [4] I looked at Percona's implementation. This file looks very similar to MariaDb's own viosockets.c file [5] so it may a potential good insertion point. Percona's software license seems to be permisive enough for reusing / adapting their code [6]. Please correct me if I'm wrong but it seems no one is currently working on this feature right now. I'd like to know if you would be interested in help side-porting Percona's proxy protocol code to MariaDB. I'll probably need some help or pointers on how to add a global variable, though. Best regards, --jose [1] Proxy protocol documentation https://blog.haproxy.com/haproxy/proxy-protocol/ [2] Proxy protocol specification www.haproxy.org/download/1.8/doc/proxy-protocol.txt [3] Mariadb feature request for proxy protocol https://jira.mariadb.org/browse/MDEV-11159?jql=project%20%3D%20MDEV%20AND%20... [3] Percona proxy protocol manual page https://www.percona.com/doc/percona-server/5.6/flexibility/proxy_protocol_su... [4] Percona proxy protocol handler code https://github.com/percona/percona-server/blob/1e2f003a5bd48763c27e37542d97c... https://github.com/percona/percona-server/blob/1e2f003a5bd48763c27e37542d97c... [5] mariadb potential insertion pode for proxy protocol code https://github.com/MariaDB/server/blob/bb2c1a52c61706dde8c525a8887f2d364c0db... [6] Percona software license https://www.percona.com/doc/percona-server/LATEST/copyright.html
On IRC, waintroub_ asked me if I had a use case to show what mariadb could gain from adding support for proxy protocol. In a nutshell, it allows the mysql servers behind a proxy to know what's the IP address of the client connecting to the proxy. Without it, the backend servers will only see the IP address of the proxy front-end. Thus making it not possible to use the IP address of the clients for grants, or for logging, query analysis, ... Here's a post that has some graphics and more detail for these user cases: https://blog.haproxy.com/2017/03/24/using-haproxy-with-the-proxy-protocol-to... Hope this makes it clearer. --josé
There is an old issue in JIRA to track this (please vote): https://jira.mariadb.org/browse/MDEV-11159 If you want to give a shot to porting that to MariaDB, I'd love to have this feature personally. Le mar. 4 avr. 2017 à 21:20, Jose <jkmdb@w3.org> a écrit :
Hi!
As you may know, the proxy protocol [1,2] is a way to communicate a client's IP address to a backend server sitting behind a proxy front-end. It is the equivalent of the X-Forwarded-For HTTP header, but done at Layer 4. This protocol was originally proposed by one of the HAProxy developers and its support is becoming more widespread. Percona, Amazon AWS, HAProxy, NGINX, and others.
Mariadb's Jira shows an unassigned feature request for it, but with no one apparently assigned to it [3].
Percona supports proxy protocol [4]. For the configuration part, Percona defines a global variable that gives the IP address of the proxy front-ends that are authorized to send a proxy protocol header.
Percona's handler code for the proxy protocol (minus the global variable handling) is in the vio/viosockets.c file [4] I looked at Percona's implementation. This file looks very similar to MariaDb's own viosockets.c file [5] so it may a potential good insertion point. Percona's software license seems to be permisive enough for reusing / adapting their code [6].
Please correct me if I'm wrong but it seems no one is currently working on this feature right now. I'd like to know if you would be interested in help side-porting Percona's proxy protocol code to MariaDB. I'll probably need some help or pointers on how to add a global variable, though.
Best regards,
--jose
[1] Proxy protocol documentation https://blog.haproxy.com/haproxy/proxy-protocol/
[2] Proxy protocol specification www.haproxy.org/download/1.8/doc/proxy-protocol.txt
[3] Mariadb feature request for proxy protocol
https://jira.mariadb.org/browse/MDEV-11159?jql=project%20%3D%20MDEV%20AND%20...
[3] Percona proxy protocol manual page
https://www.percona.com/doc/percona-server/5.6/flexibility/proxy_protocol_su...
[4] Percona proxy protocol handler code
https://github.com/percona/percona-server/blob/1e2f003a5bd48763c27e37542d97c...
https://github.com/percona/percona-server/blob/1e2f003a5bd48763c27e37542d97c...
[5] mariadb potential insertion pode for proxy protocol code
https://github.com/MariaDB/server/blob/bb2c1a52c61706dde8c525a8887f2d364c0db...
[6] Percona software license https://www.percona.com/doc/percona-server/LATEST/copyright.html
_______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
I did a first pass at porting percona's code, mostly as proof of concept and to have a starting step. I opened a PR to track feedback on it and I'm trying to be available on #maria for discussions. https://github.com/MariaDB/server/pull/354 Thanks to @vaintroub and @danblack for all their early feedback and help. --josé
participants (3)
-
Guillaume Lefranc
-
jkmdb@w3.org
-
Jose