Just a side note, because we're also very interested in this patch! Awhile back, I was successfully able to apply this patch and terminate TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket and the Proxy protocol provided *most *of the relevant/required information to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP however as the patch didn't handle that case.
I can find my notes from that experiment, but I do remember getting a significant boost in throughput and decrease in latency. +1 for this patch and willing to help out! On Mon, Jul 24, 2023 at 11:22 AM Amit Pande <amit.pa...@veritas.com.invalid> wrote: > Thank you, Chris, again for inputs. > And sorry to circle back on this, late. > > One related question is - does it make sense to use the patch attached in > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > And potentially, get it integrated into Tomcat versions? > > There are concerns from Mark about using the patch in its current state, > but I see last comment (#24) on the issue and looks like there are some > more points to be concluded. > > Thanks, > Amit > > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Wednesday, May 10, 2023 4:21 PM > To: users@tomcat.apache.org > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > Amit, > > On 5/10/23 12:59, Amit Pande wrote: > > Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. > > > https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency > which supports the proxy protocol. > > > > Since there is not much action on this > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830, does it imply that > most of the times Tomcat is running behind HTTP proxies and not TCP proxies? > > Or does it mean that, Tomcat or applications running in Tomcat does not > need the remote client address information? > > I can't speak for anybody else, but I use Apache httpd as my reverse-proxy > and I do terminate TLS. I also use it for load-balancing/fail-over, > caching, some authorization, etc. I wouldn't be able to use a TCP > load-balancer because I hide multiple services behind my reverse-proxy > which run in different places. It's not just s dumb pass-through. > > Hope that helps, > -chris > > > -----Original Message----- > > From: Christopher Schultz <ch...@christopherschultz.net> > > Sent: Monday, May 8, 2023 3:40 PM > > To: users@tomcat.apache.org > > Subject: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Amit, > > > > On 5/4/23 16:07, Amit Pande wrote: > >> We have a similar requirement as mentioned in the below enhancement > request. > >> > >> https://bz/. > >> a%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b78720608 > >> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C6381935061356 > >> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ > >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3UFyiGJ9ZgtLqUzY9JM > >> CK2MfwKN3OAOKdr6JmTUGkPw%3D&reserved=0 > >> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit. > >> P > >> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422c4 > >> c > >> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZsb > >> 3 > >> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > >> 7 > >> C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D&r > >> e > >> served=0 > >> > >> Is there any plan to add this support in Tomcat in future releases? > > > > Nothing at the moment that I know of. > > > > I thought that markt had looked at this a while back and said it didn't > look too difficult. It does require Tomcat to handle the stream directly > and not just rely on Java's SSLServerSocket. I thought that had been done > at some point, but it may not have. Handling the stream directly may have > some other advantages as well, though it definitely makes the code more > complicated. > > > >> Also, since this was requested long time back and there is no update, > >> are there any other alternatives to pass the client information from > >> load balancer to Tomcat in situations where there is no SSL > >> termination at load balancer? > > You mean like a network load balancer where the lb is just proxying > bytes and not looking at the data at all? The PROXY protocol really is the > best way to do that, honestly. > > > > -chris > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Jonathan | exabr...@gmail.com Pessimists, see a jar as half empty. Optimists, in contrast, see it as half full. Engineers, of course, understand the glass is twice as big as it needs to be.