Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Allowing Jetty Proxy protocol support to fallback to regular HTTP

> On Apr 1, 2016, at 5:01 PM, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
> 
> Hi,
> 
> On Fri, Apr 1, 2016 at 8:11 PM, Steven Schlansker
> <stevenschlansker@xxxxxxxxx> wrote:
>> In our case, we have an AWS ELB configured to do TCP passthrough, and as such we lose our
>> client's IP.  We'd like to upgrade, but currently we can neither add Proxy to the ELB
>> first (since that would ruin our non-Proxy-aware Jetty setup) nor can we add Proxy
>> to Jetty, since that would ruin our existing non-Proxy ELB connections.
> 
> I am not sure I understand.
> 
> If the ELB does not send the PROXY bytes, then the server does not
> need PROXY support.
> If the ELB sends the PROXY bytes, then you need PROXY support on the server.

Correct, but you could be in a situation where you have mixed
PROXY and non-PROXY traffic.

Imagine you have a cluster of 10 load balancers and 10 Jetty servers.
How do you atomically upgrade all 10 load balancers to send PROXY
and 10 Jettys to receive PROXY, when any connection that is mismatched
will be dropped?

> 
> I don't understand how you can have a mixed situation.
> Do you have traffic that does not come from the ELB that would hit the
> server without PROXY bytes ?
> If so, why don't you just use another connector on a different port ?
> 

We could set up an entirely parallel set of connectors and deployments.
But the work to do this is large -- we have many datacenters across many
continents, each of which has its own ELB -> Jetty input pipeline.
Each one of these would need a temporary transition, where we first
create a new connector, switch traffic over, and then remove the old
connector.

Wouldn't it be much easier if Jetty could autodetect?  Then you can first
upgrade Jetty, then enable it on ELB, and no need to do this dangerous
rerouting of traffic at all :)

I've optimistically started implementing this feature:
https://github.com/eclipse/jetty.project/pull/478

It's not done yet, but I think it proves that it is possible.
The remaining trickiness is around testing a mixed PROXY/SSL connection.

Do you have some specific reason this feature is not a good idea?
It seems like it would be extremely handy.

Thanks!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Back to the top