#50470 [RFE] Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix.
Opened 5 months ago by mreynolds. Modified 3 months ago

Ticket was cloned from Red Hat Bugzilla: Bug 1382123

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

Please add support to 389-base for the PROXY protocol for ACI evaluation and
also for logging client queries. The proxy protocol is described here:

http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

Background:
As a network engineer, I can say that having a load balancer in path in your
network is a bad idea. It is bad because it becomes part of the network and it
becomes the weakest link. It limits the capacity of the network and becomes
additional points of failure in the network. The ideal place for a load
balancer is on the side, with the client traffic being network address
translated to address ranges from SNAT pools, where the server recieving the
traffic never directly sees the IP address of the client.

Loadbalancing out of path traffic to a group of ldap servers presents a
semi-unique problem when ACIs must be evaluated against client IP address and
also for client logging. The PROXY protocol provides provides this information
to the backend servers via an additional TCP header so that the ACIs can be
correctly evaluated and client traffic can be logged.

A great example of non-http software that is capable of using the additional
tcp header is the Postfix MTA. There is an announcement here:

http://permalink.gmane.org/gmane.comp.web.haproxy/8881

Version-Release number of selected component (if applicable):


Thank you for your consideration.

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1382123

5 months ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue assigned to mhonek

5 months ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.2 (was: 0.0 NEEDS_TRIAGE)

3 months ago

Login to comment on this ticket.

Metadata