Chris, Mark, Any thoughts on this?
Mark, if we clean up the patch and re-submit, do you will have any concerns (specially security wise)? Thanks, Amit -----Original Message----- From: Jonathan S. Fisher <exabr...@gmail.com> Sent: Monday, July 24, 2023 12:41 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat Just a side note, because we're also very interested in this patch! Awhile back, I was successfully able to apply this patch and terminate TCP/TLS using HaProxy. We then had Tomcat listen on a unix domain socket and the Proxy protocol provided *most *of the relevant/required information to tomcat. I believe we had to add a Valve to tomcat to set the Remote IP however as the patch didn't handle that case. I can find my notes from that experiment, but I do remember getting a significant boost in throughput and decrease in latency. +1 for this patch and willing to help out! On Mon, Jul 24, 2023 at 11:22 AM Amit Pande <amit.pa...@veritas.com.invalid> wrote: > Thank you, Chris, again for inputs. > And sorry to circle back on this, late. > > One related question is - does it make sense to use the patch attached > in > https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 ? > And potentially, get it integrated into Tomcat versions? > > There are concerns from Mark about using the patch in its current > state, but I see last comment (#24) on the issue and looks like there > are some more points to be concluded. > > Thanks, > Amit > > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Wednesday, May 10, 2023 4:21 PM > To: users@tomcat.apache.org > Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat > > Amit, > > On 5/10/23 12:59, Amit Pande wrote: > > Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g. > > > https://www/. > envoyproxy.io%2Fdocs%2Fenvoy%2Flatest%2Fintro%2Farch_overview%2Fother_ > features%2Fip_transparency&data=05%7C01%7CAmit.Pande%40veritas.com%7Ca > 85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0 > %7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi > LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W > NEV4UQ5q4Nl8SEFHMz7C%2Fj3Qr7pCHpfyvQLeBn56uQ%3D&reserved=0 > which supports the proxy protocol. > > > > Since there is not much action on this > https://bz.a/ > pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit.Pande%40veritas.com%7Ca85e610757b348137b4008db8c6d8156%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638258174209955308%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mH7TRJny1YUOsG%2BeFXno4xdvsLAjz%2BRkQgCnLfehXvQ%3D&reserved=0, > does it imply that most of the times Tomcat is running behind HTTP proxies > and not TCP proxies? > > Or does it mean that, Tomcat or applications running in Tomcat does > > not > need the remote client address information? > > I can't speak for anybody else, but I use Apache httpd as my > reverse-proxy and I do terminate TLS. I also use it for > load-balancing/fail-over, caching, some authorization, etc. I wouldn't > be able to use a TCP load-balancer because I hide multiple services > behind my reverse-proxy which run in different places. It's not just s dumb > pass-through. > > Hope that helps, > -chris > > > -----Original Message----- > > From: Christopher Schultz <ch...@christopherschultz.net> > > Sent: Monday, May 8, 2023 3:40 PM > > To: users@tomcat.apache.org > > Subject: [External] Re: Supporting Proxy Protocol in Tomcat > > > > Amit, > > > > On 5/4/23 16:07, Amit Pande wrote: > >> We have a similar requirement as mentioned in the below enhancement > request. > >> > >> https://bz/. > >> a%2F&data=05%7C01%7CAmit.Pande%40veritas.com%7C07ebe3c927ed4b787206 > >> 08 > >> db519ccce8%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C63819350613 > >> 56 > >> 24269%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL > >> CJ > >> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3UFyiGJ9ZgtLqUzY9 > >> JM > >> CK2MfwKN3OAOKdr6JmTUGkPw%3D&reserved=0 > >> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit. > >> P > >> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422 > >> c4 > >> c > >> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZ > >> sb > >> 3 > >> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > >> D% > >> 7 > >> C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D > >> &r > >> e > >> served=0 > >> > >> Is there any plan to add this support in Tomcat in future releases? > > > > Nothing at the moment that I know of. > > > > I thought that markt had looked at this a while back and said it > > didn't > look too difficult. It does require Tomcat to handle the stream > directly and not just rely on Java's SSLServerSocket. I thought that > had been done at some point, but it may not have. Handling the stream > directly may have some other advantages as well, though it definitely > makes the code more complicated. > > > >> Also, since this was requested long time back and there is no > >> update, are there any other alternatives to pass the client > >> information from load balancer to Tomcat in situations where there > >> is no SSL termination at load balancer? > > You mean like a network load balancer where the lb is just proxying > bytes and not looking at the data at all? The PROXY protocol really is > the best way to do that, honestly. > > > > -chris > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Jonathan | exabr...@gmail.com Pessimists, see a jar as half empty. Optimists, in contrast, see it as half full. Engineers, of course, understand the glass is twice as big as it needs to be.
