Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable proxy protocol for TCP/UDP ports in NLB #3877

Open
sknmi opened this issue Oct 2, 2024 · 3 comments
Open

Disable proxy protocol for TCP/UDP ports in NLB #3877

sknmi opened this issue Oct 2, 2024 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@sknmi
Copy link

sknmi commented Oct 2, 2024

I'm using nginx-ingress and want to expose gitlab-shell service on TCP port 22.

defaultBackend:
  enabled: false

tcp:
  22: gitlab/gitlab-gitlab-shell:22

  config:
    server-tokens: false
    use-proxy-protocol: true
  service:
    type: "LoadBalancer"
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: true
      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=true,deregistration_delay.timeout_seconds=180,deregistration_delay.connection_termination.enabled=false"

So for 443/80 ports I need proxy protocol and it works as expected, but for port 22 I don't need it. If I disabled it in target group by hands aws-load-balancer-controler sets proxy protocol for that tcp 22 port back after some time.

I know it is also possible to set something like this fornginx-ingress:

  22: gitlab/gitlab-gitlab-shell:22:PROXY:PROXY
  22: gitlab/gitlab-gitlab-shell:22:PROXY
  22: gitlab/gitlab-gitlab-shell:22::PROXY

But none of them works.

Describe the solution you'd like
Ability to disable proxy-protocol for specific ports.

Describe alternatives you've considered
Using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.9/guide/targetgroupbinding/targetgroupbinding/ this maybe.

@wweiwei-li wweiwei-li added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 2, 2024
@wweiwei-li
Copy link
Collaborator

We don't have the ability to disable it for specific ports. We add it as feature. Any community contributes are welcome

@sknmi
Copy link
Author

sknmi commented Oct 3, 2024

TargetGroupBinding feature also doesn't work, since alb-controller removes all manually added listeners from NLB :/

@aburan28
Copy link

@wweiwei-li What would be the ideal way to implement this? Would a target group override annotation for the service port be reasonable? for example below this would disable proxy_protocol_v2 for port 443.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-target-group-overrides-443: "proxy_protocol_v2.enabled=false"
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "proxy_protocol_v2.enabled=true"

I may have some time to work on this feature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

3 participants