Mark, thankyou for your feedback. I hope to settle some worry here: > I prefer supporting features backed by specifications rather than vendor specific hacks.
I totally understand and agree. This is a standardized specification with a control document. Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt The Proxy protocol is actually widely deployed and available today; I'll provide as many references as I know of: HaProxy Support: (See spec doc above) Apache Support: https://roadrunner2.github.io/mod-proxy-protocol/mod_proxy_protocol.html Nginx Support: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol Amazon Web Services Support: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol Google Cloud Support: https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol Cloudflare Support: https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/ DigitalOcean Support: https://docs.digitalocean.com/products/networking/load-balancers/how-to/manage/#proxy-protocol Linode Support: https://www.linode.com/docs/products/networking/nodebalancers/guides/proxy-protocol These are just the usages that I'm aware of. Having support in Tomcat for Proxy Protocol means these load balancers above can speak to Tomcat in a more direct manner. A Google search returns even wider support from everything on databases to some people supporting this through F5 load balancers scripts. Thank you again for your consideration, On Wed, Jul 26, 2023 at 12:58 PM Mark Thomas <ma...@apache.org> wrote: > I'm not a huge fan of this feature in general. I prefer supporting > features backed by specifications rather than vendor specific hacks. > > My support for any patch is going to depend on the specifics of the patch. > > In addition to the comments in the BZ > - exposing the data as a request attribute is inconsistent with other > mechanisms that solve the same problem (e.g. see RemoteIpFilter) > > - needs to be implemented for all Connectors > > - I'd expect it to look more like the SNI processing > > Generally, I don't think implementing this is going to be possible as > some sort of plug-in. > > Mark > > > On 26/07/2023 17:44, Amit Pande wrote: > > Missed to ask this: > > > > Looking the patch, it involves modifying Tomcat code. > > Was wondering if it would be possible to refactor this patch and/or > allow Tomcat core code to extend and plug-in the proxy protocol support? > > > > Thanks, > > Amit > > > > -----Original Message----- > > From: Amit Pande > > Sent: Wednesday, July 26, 2023 11:43 AM > > To: Tomcat Users List <users@tomcat.apache.org> > > Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Chris, Mark, > > > > Any thoughts on this? > > > > Mark, if we clean up the patch and re-submit, do you will have any > concerns (specially security wise)? > > > > Thanks, > > Amit > > > > -----Original Message----- > > From: Jonathan S. Fisher <exabr...@gmail.com> > > Sent: Monday, July 24, 2023 12:41 PM > > To: Tomcat Users List <users@tomcat.apache.org> > > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Just a side note, because we're also very interested in this patch! > > > > Awhile back, I was successfully able to apply this patch and terminate > TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket > and the Proxy protocol provided *most *of the relevant/required information > to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP > however as the patch didn't handle that case. > > > > I can find my notes from that experiment, but I do remember getting a > significant boost in throughput and decrease in latency. > > > > +1 for this patch and willing to help out! > > > > On Mon, Jul 24, 2023 at 11:22 AM Amit Pande <amit.pa...@veritas.com > .invalid> > > wrote: > > > >> Thank you, Chris, again for inputs. > >> And sorry to circle back on this, late. > >> > >> One related question is - does it make sense to use the patch attached > >> in > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > >> And potentially, get it integrated into Tomcat versions? > >> > >> There are concerns from Mark about using the patch in its current > >> state, but I see last comment (#24) on the issue and looks like there > >> are some more points to be concluded. > >> > >> Thanks, > >> Amit > >> > >> -----Original Message----- > >> From: Christopher Schultz <ch...@christopherschultz.net> > >> Sent: Wednesday, May 10, 2023 4:21 PM > >> To: users@tomcat.apache.org > >> Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > >> > >> Amit, > >> > >> On 5/10/23 12:59, Amit Pande wrote: > >>> Yes, we intended to have Tomcat run behind a (transparent) TCP proxy > e.g. > >>> > >> https://www/. > >> envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ > >> features%2Fip_transparency&data=05%7C01%7CAmit.Pande%40veritas.com%7Ca > >> 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 > >> %7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi > >> LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W > >> NEV4UQ5q4Nl8SEFHMz7C%2Fj3Qr7pCHpfyvQLeBn56uQ%3D&reserved=0 > >> which supports the proxy protocol. > >>> > >>> Since there is not much action on this > >> https://bz.a/ > >> pache.org > %2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit.Pande% > 40veritas.com%7Ca85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mH7TRJny1YUOsG%2BeFXno4xdvsLAjz%2BRkQgCnLfehXvQ%3D&reserved=0, > does it imply that most of the times Tomcat is running behind HTTP proxies > and not TCP proxies? > >>> Or does it mean that, Tomcat or applications running in Tomcat does > >>> not > >> need the remote client address information? > >> > >> I can't speak for anybody else, but I use Apache httpd as my > >> reverse-proxy and I do terminate TLS. I also use it for > >> load-balancing/fail-over, caching, some authorization, etc. I wouldn't > >> be able to use a TCP load-balancer because I hide multiple services > >> behind my reverse-proxy which run in different places. It's not just s > dumb pass-through. > >> > >> Hope that helps, > >> -chris > >> > >>> -----Original Message----- > >>> From: Christopher Schultz <ch...@christopherschultz.net> > >>> Sent: Monday, May 8, 2023 3:40 PM > >>> To: users@tomcat.apache.org > >>> Subject: [External] Re: Supporting Proxy Protocol in Tomcat > >>> > >>> Amit, > >>> > >>> On 5/4/23 16:07, Amit Pande wrote: > >>>> We have a similar requirement as mentioned in the below enhancement > >> request. > >>>> > >>>> https://bz/. > >>>> a%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b787206 > >>>> 08 > >>>> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63819350613 > >>>> 56 > >>>> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL > >>>> CJ > >>>> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3UFyiGJ9ZgtLqUzY9 > >>>> JM > >>>> CK2MfwKN3OAOKdr6JmTUGkPw%3D&reserved=0 > >>>> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit. > >>>> P > >>>> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422 > >>>> c4 > >>>> c > >>>> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZ > >>>> sb > >>>> 3 > >>>> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > >>>> D% > >>>> 7 > >>>> C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D > >>>> &r > >>>> e > >>>> served=0 > >>>> > >>>> Is there any plan to add this support in Tomcat in future releases? > >>> > >>> Nothing at the moment that I know of. > >>> > >>> I thought that markt had looked at this a while back and said it > >>> didn't > >> look too difficult. It does require Tomcat to handle the stream > >> directly and not just rely on Java's SSLServerSocket. I thought that > >> had been done at some point, but it may not have. Handling the stream > >> directly may have some other advantages as well, though it definitely > >> makes the code more complicated. > >>> > >>>> Also, since this was requested long time back and there is no > >>>> update, are there any other alternatives to pass the client > >>>> information from load balancer to Tomcat in situations where there > >>>> is no SSL termination at load balancer? > >>> You mean like a network load balancer where the lb is just proxying > >> bytes and not looking at the data at all? The PROXY protocol really is > >> the best way to do that, honestly. > >>> > >>> -chris > >>> > >>> -------------------------------------------------------------------- > >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >>> -------------------------------------------------------------------- > >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > -- > > Jonathan | exabr...@gmail.com > > Pessimists, see a jar as half empty. Optimists, in contrast, see it as > half full. > > Engineers, of course, understand the glass is twice as big as it needs > to be. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Jonathan | exabr...@gmail.com Pessimists, see a jar as half empty. Optimists, in contrast, see it as half full. Engineers, of course, understand the glass is twice as big as it needs to be.
