Our Load Balancer API now supports the PROXY Protocol, which is a standard for sending client connection information from proxies through to back end servers.
It works in a similar way to the X-Forwarded-For HTTP header — the load
balancer sends the client IP address (and optionally other information) to the
backend server before the actual data — except it works for any kind of TCP
connection and not just HTTP.
So if you’re load balancing SMTP, for example, your SMTP servers are able to learn the true client IP address — critical for various anti-spam detection systems. Or if you’re load balancing MySQL, your MySQL servers are able to properly apply IP access control.
Your backend services need to support the protocol, but it’s fairly widespread and well supported.
Our new PROXY Protocol support is especially useful for Kubernetes deployments,
particularly if you’re using the NGINX ingress controller and want to manage
your own Let’s Encrypt certificates. If you use our Kubernetes Cloud Controller
Manager, it
will now handle adding the relevant backends with the appropriate ports as and
when things change too. Just add the
brightbox-load-balancer-listener-proxy-protocol annotation:
apiVersion: v1
kind: Service
type: LoadBalancer
metadata:
name: web
annotations:
service.beta.kubernetes.io/brightbox-load-balancer-listener-protocol: "tcp"
service.beta.kubernetes.io/brightbox-load-balancer-healthcheck-protocol: "tcp"
service.beta.kubernetes.io/brightbox-load-balancer-listener-proxy-protocol: "v2"
spec:
selector:
app: myapp
ports:
- name: web
port: 443
protocol: TCP
targetPort: httpsThere are multiple versions of the protocol that can provide different information, such as SSL information, including client certificate details. Our reference docs have more details on the available options.
Support for PROXY Protocol is already available in our Kubernetes Cloud Controller, version 1.13.4 and updates to our CLI and Brightbox Manager will follow soon!