feat: add PROXY Protocol support for TCP ingress rules

[sairus2k]

Discussed in https://github.com/orgs/swiftwave-org/discussions/1199

^{Originally posted by sairus2k February 16, 2025}

Problem

When services are deployed behind HAProxy, the original client IP address is lost and replaced with HAProxy's local address. This creates problems for services that depend on the client's real IP address, such as SMTP servers performing SPF checks.

Proposed solution

Implement PROXY protocol support for TCP ingress rules by:

1. Adding a Use proxy protocol option when creating TCP ingress rules
2. Including an option to specify the PROXY protocol version (v1 or v2)
   • Version 1: human-readable format (required for SMTP servers)
   • Version 2: binary format

For detailed information about the PROXY protocol, refer to the HAProxy documentation.

Current workaround

While it's possible to manually add the send-proxy option to the backend of the application in /var/lib/swiftwave/haproxy/haproxy.cfg, this is not ideal as the file is generated and so it may be overwritten during updates.

Example logs

Without PROXY protocol

[2025-02-15 15:52:30] INFO  [#77ly6prphqq4hjnt] Connection from swiftwave_haproxy.wxlgfc5ojgvee0gktdcnyco33.ir6mcm2iqm8a1ql4gv464jqll.swiftwave_network

With PROXY protocol enabled using the send-proxy option

[2025-02-15 16:24:22] INFO  [#ex4pvmdvfbvidlne] [ex4pvmdvfbvidlne] PROXY from 209.85.218.49 through 172.18.0.5 (["TCP4","209.85.218.49","172.18.0.5","51204","25"])
[2025-02-15 16:24:22] INFO  [#ex4pvmdvfbvidlne] Connection from mail-ej1-f49.google.com

As shown in the logs, enabling the PROXY protocol helps maintain the original client information, which is crucial for proper service functionality.

[tanmoysrt]

While it's possible to manually add the send-proxy option to the backend of the application in /var/lib/swiftwave/haproxy/haproxy.cfg, this is not ideal as the file is generated and so it may be overwritten during updates.

Until unless, you are not deleting the ingress rule from UI, that backend block and changes will stay there regardless of other changes.

P.S: If you delete all the ingress rule connected to that port of your application, then only that block will be removed.

[nusktec]

Why can't we test our deployment over the server IP until you added a domain ?.
also, why can't I use cname in it ?

[tanmoysrt]

@nusktec

Why can't we test our deployment over the server IP until you added a domain ?.

You can test deployment over server IP. There is no restriction.
Use TCP ingress rule for that. Your application will handle the ingress.

For HTTP 80/443 or HTTP ingress rule domain is required. Inbound proxy need to know about the domain to route it.

Btw, If you need dummy domain, you can use swiftwave.xyz domains.

For example, if your server ip is 1.2.3.4.

You can use *.ip-1-2-3-4.swiftwave.xyz (test1.ip-1-2-3-4.swiftwave.xyz, test2.ip-1-2-3-4.swiftwave.xyz)

also, why can't I use cname in it ?

CNAME should work.

[nusktec]

I have added my domain during installation, will swiftwave domain still work ?.

management_node_address: to_my_domain. would yours still work ?

[tanmoysrt]

I have added my domain during installation, will swiftwave domain still work ?.

management_node_address: to_my_domain. would yours still work ?

Yeah, you can use for any deployed app as well