Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19240

[RFE] Add PROXY protocol support to 389-ds-base via confiuration item - similar to Postfix [rhel-8.10.0]

    • 389-ds-1.4-8100020240116191029.945b6f6d
    • Medium
    • rhel-sst-idm-ds
    • ssg_idm
    • 20
    • 29
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Approved Exception
    • Feature
    • Hide
      .The HAProxy protocol is now supported for the `389-ds-base` package

      Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new `nsslapd-haproxy-trusted-ip` multi-valued configuration attribute to configure the list of trusted proxy servers. When `nsslapd-haproxy-trusted-ip` is configured under the `cn=config` entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.

      If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

      [literal,subs="+quotes"]
      ....
      [time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
      ....

      // For more details, see link:https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config[nsslapd-haproxy-trusted-ip]
      Show
      .The HAProxy protocol is now supported for the `389-ds-base` package Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new `nsslapd-haproxy-trusted-ip` multi-valued configuration attribute to configure the list of trusted proxy servers. When `nsslapd-haproxy-trusted-ip` is configured under the `cn=config` entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged. If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file: [literal,subs="+quotes"] .... [time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4 .... // For more details, see link: https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/configuration_and_schema_reference/assembly_core-server-configuration-attributes_config-schema-reference-title#nsslapd-haproxy-trusted-ip_assembly_cn-config [nsslapd-haproxy-trusted-ip]
    • Done
    • None

      Description of problem:

      Please add support to 389-base for the PROXY protocol for ACI evaluation and also for logging client queries. The proxy protocol is described here:

      http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

      Background:
      As a network engineer, I can say that having a load balancer in path in your network is a bad idea. It is bad because it becomes part of the network and it becomes the weakest link. It limits the capacity of the network and becomes additional points of failure in the network. The ideal place for a load balancer is on the side, with the client traffic being network address translated to address ranges from SNAT pools, where the server recieving the traffic never directly sees the IP address of the client.

      Loadbalancing out of path traffic to a group of ldap servers presents a semi-unique problem when ACIs must be evaluated against client IP address and also for client logging. The PROXY protocol provides provides this information to the backend servers via an additional TCP header so that the ACIs can be correctly evaluated and client traffic can be logged.

      A great example of non-http software that is capable of using the additional tcp header is the Postfix MTA. There is an announcement here:

      http://permalink.gmane.org/gmane.comp.web.haproxy/8881

      Version-Release number of selected component (if applicable):

      Thank you for your consideration.

              spichugi@redhat.com Simon Pichugin
              mgalgoci Matthew Galgoci
              Barbora Simonova Barbora Simonova
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: