Using proxy_protocol v2 with h2c backend gives wrong IP address to backend. #6342
Comments
|
Ah that makes sense. The connections to the backend are pooled I think, so subsequent requests might appear to come from the same IP as the first backend. I'm not sure if we have a way to turn off pooling in h2c mode right now. |
|
The ntlm-transport does pooling per remote IP address. I wonder if the mechanism can be copied into core for this use case. Now that I said that, I realize the same logic probably covers both NTLM and proxy-protocol + h2c. |
|
@mohammed90 I always thought we should pool connections for the same client ip if proxy protocol is enabled instead of blindly disabling keep-alive. Tried to implement custom pooling but gave up. That package gives me some inspiration. |
|
@CRCinAU Can you try |
|
I'm not really familiar enough with Caddy to be able to pull this off - I've only ever used the docker container from docker hub to use Caddy. Is there any way to bring this into the existing docker container? |
|
Run following dockerfile: The resulting image contains this patch. And you can copy the binary. |
|
I tried running this with h2c:// - but caddy just seemed to hang when talking to the backend... Nothing seemed to make it through to the client. |
|
Any logs available? Please enable debug in the global option. |
|
I'm giving this a go now... I tried it on my main web site - but as it died, I just rolled back straight away. Here's the logs I see from just random internet traffic hitting the site when using h2c:// to the backend. |
|
You need to configure it like this (see https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#the-http-transport): |
This does actually seem to work - ie the connection doesn't hang - on the However, even in this configuration, the wrong remote IP address is displayed by apache - which is the start of this bug report. Trying this again with the instructions above ( #6342 (comment) ), the connection still hangs. Eventually, I get a 502 timeout from the backend: {
"level": "error",
"ts": 1716824790.699319,
"logger": "http.log.error",
"msg": "http2: client conn not usable",
"request": {
"remote_ip": "<my ipv6 address>",
"remote_port": "51640",
"client_ip": "<my ipv6 address>",
"proto": "HTTP/3.0",
"method": "GET",
"host": "<fqdn>",
"uri": "/",
"headers": {
"Sec-Fetch-Dest": [
"document"
],
"Accept-Language": [
"en-GB,en;q=0.6"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Ch-Ua-Platform": [
"\"Linux\""
],
"Upgrade-Insecure-Requests": [
"1"
],
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"
],
"Sec-Gpc": [
"1"
],
"Sec-Fetch-Site": [
"same-origin"
],
"Referer": [
"https://<fqdn>"
],
"Accept-Encoding": [
"gzip, deflate, br, zstd"
],
"Sec-Ch-Ua": [
"\"Brave\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\""
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Cookie": [
"REDACTED"
],
"Priority": [
"u=0, i"
],
"Cache-Control": [
"max-age=0"
],
"User-Agent": [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4867,
"proto": "h3",
"server_name": "<fqdn>"
}
},
"duration": 64.009204212,
"status": 502,
"err_id": "07ygq06wq",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1269)"
} |
@francislavoie |
|
Ah, I see yeah caddy/modules/caddyhttp/reverseproxy/httptransport.go Lines 342 to 348 in 77394f2 So just need to use the new build to test I guess. |
|
I think this is a stdlib issue, https://github.com/golang/net/blob/022530c41555839e27aec3868cc480fb7b5e33d4/http2/transport.go#L1028 However h2c requests start with a streamID of 3. https://github.com/golang/net/blob/022530c41555839e27aec3868cc480fb7b5e33d4/http2/transport.go#L836 So requests never get sent in this case. |
|
@CRCinAU Can you try with |
|
@WeidiDeng - Sorry, I'm not the best with Caddy or its build process - I tried the following modified Dockerfile based on the above: However it complains there isn't a tag for ie: Looking at the tags on Docker Hub, I can see that there is a EDIT: I noticed there are images for |
|
That builder has the wrong xcaddy version 0.4.1 instead of the latest 0.4.2. It'll be a while before the docker is ready. |
|
@CRCinAU 2.8.0-builder is ready now, you can try again. |
|
Built ok now, and I can confirm I'm seeing HTTP/2.0 requests to the backend, and it looks to be the correct IP address reported to the backend via the proxy protocol. |
I recently moved over to Caddy as a frontend for one of my sites.
Extract of the Caddyfile:
When configured as above, after a random number of hits, the source IP addresses logged in the reverse proxy will all be the same. This includes ANY host - IPv4 or IPv6.
Changing to use http:// as the backend as follows seems to report the source IP address correctly:
Versions:
The text was updated successfully, but these errors were encountered: