Hi [email protected], Our ops team has requested a behavior change for: https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy-config-http-proxy-protocol-allowlist
Consider the change via the following PR from a few years ago: https://github.com/apache/trafficserver/pull/9383 With that 9383 PR, client connections to :pp server_ports are now "flexible" in the sense that ATS will gracefully handle both Proxy Protocol traffic on those ports as well as non-Proxy Protocol traffic. proxy.config.http.proxy_protocol_allowlist, on the other hand, was kept "strict" in the sense that, if the list was non-empty, only client connections from the IP addresses in proxy_protocol_allowlist would be accepted by ATS. All other connections from non-allowed IP addresses would be rejected, regardless of whether they contained Proxy Protocol headers or not. The request is to make proxy_protocol_allowlist enforcement only reject **Proxy Protocol** connections that are not from the allow list of IP addresses, while otherwise not impacting other non-Proxy Protocol connections. For those, ip_allow.yaml or other ACL mechanism could be used to gate that traffic by IP per their intended design. This sounds reasonable to me. A Proxy Protocol allow list probably most naturally should only block Proxy Protocol traffic. I've implemented it here: https://github.com/apache/trafficserver/pull/13125 I consider this an incompatible change: it's possible that connections that were rejected will now, with this change, no longer be rejected (that is, connections from IP addresses not in the allow list but not containing Proxy Protocol headers). I think it best to not change that behavior mid-10. Thus this would be 11-only. Any concerns? Thanks! Brian Neradt -- "Come to Me, all who are weary and heavy-laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and humble in heart, and you will find rest for your souls. For My yoke is easy and My burden is light." ~ Matthew 11:28-30
