vuori commented on issue #12489: URL: https://github.com/apache/trafficserver/issues/12489#issuecomment-3271851739
> > 1. Connections with both a PROXY header and without were accepted. In most applications Proxy Protocol listeners require the PROXY header (or v2 equivalent), and documentation states that this should be the case for ATS. Is this expected? > > Yes. ATS supports both v1 and v2, and it works on Unix Domain Socket as well. Yes, both v1 and v2 work, but the [documentation for `server_ports`](https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy-config-http-server-ports) states that "if Proxy Protocol is enabled on the port, all incoming requests _must_ be prefaced with the PROXY header" (emphasis added). Currently UDS also works with _no_ PROXY header at all. Is this intended? For example this works with `pp` enabled (unexpected): `echo -n -e 'GET http://www.example.com/ HTTP/1.0\r\n\r\n' | nc -U ./sockets/ats.sock` This also works (expected): `echo -n -e 'PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\nGET http://www.example.com/ HTTP/1.0\r\n\r\n' | nc -U ./sockets/ats.sock` > > 2. Client IP passed via proxy protocol was not logged with the % selector: the log format string client_ip=% resulted in the output client_ip= (i.e. empty string). > > The documentation is unclear but the `%<chi>` does not log the IP address from PROXY protocol. You can use `%<pps>` for the address instead. The thing is that you cannot switch ATS log fields to use by whether PROXY protocol is used. So if you want to have the real client IP address in `client_ip` regardless of whether PROXY protocol is used, you need to use header_rewrite plugin and set an @ prefixed header so that you can access it from your logging format like `%<{@Real-Client-IP-Address}cqh>`. Right, I was thinking that "peer" was the client, but looks like I missed the end of the sentence. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@trafficserver.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
