github.com/projectcontour/contour@v1.28.2/site/content/guides/proxy-proto.md

github.com/projectcontour/contour@v1.28.2/site/content/guides/proxy-proto.md (about)

     1  ---
     2  title: How to Configure PROXY v1/v2 Support
     3  layout: page
     4  ---
     5  
     6  If you deploy Contour as a Deployment or Daemonset, you will likely use a `type: LoadBalancer` Service to request an [external load balancer][1] from your hosting provider.
     7  If you use the Elastic Load Balancer (ELB) service from Amazon's EC2, you need to perform a couple of additional steps to enable the [PROXY][0] protocol. Here's why:
     8  
     9  External load balancers typically operate in one of two modes: a layer 7 HTTP proxy, or a layer 4 TCP proxy.
    10  The former cannot be used to load balance TLS traffic, because your cloud provider attempts HTTP negotiation on port 443.
    11  So the latter must be used when Contour handles HTTP and HTTPS traffic.
    12  
    13  However this leads to a situation where the remote IP address of the client is reported as the inside address of your cloud provider's load balancer.
    14  To rectify the situation, you can add annotations to your service and flags to your Contour Deployment or DaemonSet to enable the [PROXY][0] protocol which forwards the original client IP details to Envoy. 
    15  
    16  ## Enable PROXY protocol on your service in GKE
    17  
    18  In GKE clusters a `type: LoadBalancer` Service is provisioned as a Network Load Balancer and will forward traffic to your Envoy instances with their client addresses intact.
    19  Your services should see the addresses in the `X-Forwarded-For` or `X-Envoy-External-Address` headers without having to enable a PROXY protocol.
    20  
    21  ## Enable PROXY protocol on your service in AWS
    22  
    23  To instruct EC2 to place the ELB into `tcp`+`PROXY` mode, add the following annotations to the `contour` Service:
    24  
    25  ```
    26  apiVersion: v1
    27  kind: Service
    28  metadata:
    29    annotations:
    30        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    31        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    32      name: contour
    33      namespace: projectcontour
    34  spec:
    35    type: LoadBalancer
    36  ...
    37  ```
    38  
    39  **NOTE**: The service annotation `service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'` used to toggle the PROXY protocol is found to have no effect on NLBs (Due to this open [issue][2]). Hence, follow the steps mentioned in this AWS [documentation][3] to manually toggle PROXY protocol on NLBs
    40  
    41  ## Enable PROXY protocol support for all Envoy listening ports
    42  
    43  ```
    44  ...
    45  spec:
    46    containers:
    47    - image: ghcr.io/projectcontour/contour:{{< param latest_version >}}
    48      imagePullPolicy: Always
    49      name: contour
    50      command: ["contour"]
    51      args: ["serve", "--incluster", "--use-proxy-protocol"]
    52  ...
    53  ```
    54  
    55  [0]: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
    56  [1]: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer
    57  [2]: https://github.com/kubernetes/kubernetes/issues/57250
    58  [3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#enable-proxy-protocol