How to parse custom PROXY protocol v2 header for custom routing in HAProxy configuration?

4.1k views Asked by At

How can one parse the PROXY protocol version 2 header and use the parsed values to select a backend?

Specifically, I am making a connection from one AWS account to another using a VPC PrivateLink endpoint with PROXY v2 enabled. This includes the endpoint ID according to the docs.

The Proxy Protocol header also includes the ID of the endpoint. This information is encoded using a custom Type-Length-Value (TLV) vector as follows.

My goal is to connect from a resource A in account 1 to a resource B in account 2. The plan is resource A -> PrivateLink -> NLB (with PROXY v2 enabled) -> HAProxy -> resource B.

I need to detect the VPC PrivateLink endpoint ID in the HAProxy frontend to select the correct backend. How can this be done? I'm not clear on how to call a custom parser in the HAProxy configuration, or if this is even possible? Is it? If so, how can this be done?

Reason I can't just use source IP: It is possible for private IP spaces to overlap in my architecture. There will be several accounts acting as account 1 in the example above, so I have to do destination routing based on the endpoint ID rather than the source IP exposed by the PROXY usage.

Examples

Not good

This is our current scenario. In it, two inbound connections from different VPC's having the same private IP address space cannot be distinguished.

frontend salt_4506_acctA_front
        bind 10.0.1.32:4506 accept-proxy
        mode tcp
        default_backend salt_4506_acctA_back

backend salt_4506_acctA_back
        balance roundrobin
        mode tcp
        server salt-master-ecs 192.168.0.88:32768

If we need to route connections for acctB's VPC using the same IP, there would be no way to distinguish.

Ideal

An ideal solution would be to modify this to something like the following (though I recognize this is won't work; it is just pseudo-configuration).

frontend salt_4506_acctA_front
        bind *:4506 accept-proxy if endpointID == vpce-xxxxxxx1
        mode tcp
        default_backend salt_4506_acctA_back

backend salt_4506_acctA_back
        balance roundrobin
        mode tcp
        server salt-master-ecs 192.168.0.88:32768

Any other options in place of HAProxy for destination routing based on the endpoint ID are also acceptable, but HAProxy seemed like the obvious candidate.

1

There are 1 answers

6
Aleksandar On

Looks like AWS use the "2.2.7. Reserved type ranges" as described in https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt therefore you will need to parse this part by your own.

This could be possible in lua, maybe I'm not an expert in lua, yet ;-)