gemmellr commented on code in PR #5908: URL: https://github.com/apache/activemq-artemis/pull/5908#discussion_r2341226363
########## docs/user-manual/proxy-protocol.adoc: ########## @@ -0,0 +1,59 @@ += PROXY Protocol +:idprefix: +:idseparator: - +:docinfo: shared + +As noted in the official https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt[PROXY Protocol documentation]: + +[quote,] +____ +The PROXY protocol provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies. +____ + +This essentially allows the broker to know a client's IP address even when the connection is established through reverse proxy that supports the PROXY protocol (e.g. HAProxy, nginx, etc.). +Without PROXY protocol support the broker would see such client connections as coming from the proxy itself which can be misleading for administrators and complicate trouble-shooting. + +Both versions 1 & 2 of the PROXY Protocol are supported. + +Any of our supported messaging protocols can be used in combination with the PROXY protocol with or without TLS. + +== Configuration + +Support for the PROXY Protocol is configured on a per-acceptor basis using the `proxyProtocolEnabled` parameter, e.g.: + +[,xml] +---- +<acceptor name="proxy-artemis">tcp://0.0.0.0:61616?proxyProtocolEnabled=true</acceptor> +---- + +[NOTE] +.Why can't PROXY Protocol detection be automatic? +==== +Support for the PROXY Protocol must be explicitly configured due to security reasons. +As noted in the official https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt[PROXY Protocol documentation]: + +[quote,] +____ +The receiver MUST be configured to only receive the protocol described in this specification and MUST not try to guess whether the protocol header is present or not. +This means that the protocol explicitly prevents port sharing between public and private access. +Otherwise it would open a major security breach by allowing untrusted parties to spoof their connection addresses. +The receiver SHOULD ensure proper access filtering so that only trusted proxies are allowed to use this protocol. Review Comment: Possibly worth adding something to the sentence below stressing the last element too when enabling it? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
