Skip to content

Add proxy protocol v2 client-side support #979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add proxy protocol v2 client-side support #979

wants to merge 5 commits into from

Conversation

defanator
Copy link
Member

@defanator defanator commented Feb 17, 2025
edited
Loading

Proposed changes

This PR introduces support for proxy protocol v2 which is available in nginx starting from versions 1.13.11 (foss) and R16 (NGINX Plus).

Primary use case is running nginx-prometheus-exporter alongside with nginx or NGINX Plus sitting behind other load balancers like AWS NLB or Google's PNLB with proxy protocol enabled. Sometimes creating dedicated listeners just for stub_status or API could be undesired, and with the proposed changes the exporter will be able to reuse existing listeners without extra effort.

Changes were tested with the following combinations of listeners:

  1. IPv4 with proxy_protocol, IPv4 without proxy_protocol.
  2. IPv6 with proxy_protocol, IPv6 without proxy_protocol.
  3. Unix socket with proxy_protocol, unix socket without proxy_protocol (not that common scenario, but still supported by standard).

Implementation used: https://github.com/pires/go-proxyproto

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING guide
  • I have proven my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have ensured the README is up to date
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch on my own fork

@defanator defanator requested a review from a team as a code owner February 17, 2025 06:34
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 17, 2025
edited
Loading

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
Posted by the CLA Assistant Lite bot.

@github-actions github-actions bot added documentation Pull requests/issues for documentation dependencies Pull requests that update a dependency file labels Feb 17, 2025
@defanator
Copy link
Member Author

I have hereby read the F5 CLA and agree to its terms

@defanator
Copy link
Member Author

For the reference, here's the linter output from a platform I've been testing on:

nginx-prometheus-exporter % make lint
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.63.4 run --fix

nginx-prometheus-exporter % go version
go version go1.24.0 darwin/amd64

nginx-prometheus-exporter % sw_vers 
ProductName:            macOS
ProductVersion:         15.3
BuildVersion:           24D60

@defanator defanator mentioned this pull request Feb 17, 2025
Open
@jjngx
Copy link
Contributor

jjngx commented May 14, 2025
edited
Loading

@sindhushiv, this PR introduces a new 3rd party dependency (github.com/pires/go-proxyproto). It needs to be approved before we merge.

@jjngx
Copy link
Contributor

jjngx commented May 15, 2025

@defanator Could you please resolve conflicts?

@mpstefan mpstefan added the waiting for response Waiting for author's response label Jun 4, 2025
@defanator
Copy link
Member Author

@jjngx sorry for slow response - I'll try to address this ASAP.

@vepatel
Copy link

vepatel commented Jul 29, 2025

@jjngx re #979 (comment), its Apache 2.0 👍🏼

@vepatel vepatel moved this from Todo ☑ to In Review 👀 in NGINX Ingress Controller Jul 29, 2025
@vepatel vepatel removed the waiting for response Waiting for author's response label Jul 29, 2025
@vepatel
Copy link

vepatel commented Aug 5, 2025
edited
Loading

test nginx conf:

worker_processes 1;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;

events {
    worker_connections 1024;
}

http {
    access_log /var/log/nginx/access.log;
    
    # Server with proxy protocol support (port 8080)
    server {
        listen 8080 proxy_protocol;
        server_name localhost;
        
        # Extract real IP from proxy protocol headers
        real_ip_header proxy_protocol;
        set_real_ip_from 127.0.0.1;
        
        location /stub_status {
            stub_status on;
            access_log off;
        }
        
        location /test {
            return 200 "Hello from NGINX with Proxy Protocol!\n";
            add_header Content-Type text/plain;
        }
    }
    
    # Regular server without proxy protocol (port 8081)
    server {
        listen 8081;
        server_name localhost;
        
        location /stub_status {
            stub_status on;
            access_log off;
        }
        
        location /test {
            return 200 "Hello from regular NGINX!\n";
            add_header Content-Type text/plain;
        }
    }
}

start nginx docker container:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/nginx-test/ [pr-979] docker run -d \
  --name nginx-proxy-test \
  -p 18080:8080 \
  -p 18081:8081 \
  -v "$(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro" \
  nginx:latest

cURL:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:18081/test       

Hello from regular NGINX!

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:18080/test

curl: (52) Empty reply from server

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:18080/test --haproxy-protocol

Hello from NGINX with Proxy Protocol!

stub_status:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:18081/stub_status             

Active connections: 1 
server accepts handled requests
 19 19 14 
Reading: 0 Writing: 1 Waiting: 0

exporter test with proxy_protocol:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] ./nginx-prometheus-exporter \
  --nginx.proxy-protocol \
  --nginx.scrape-uri="http://127.0.0.1:18080/stub_status" \
  --web.listen-address=":9116" \
  --web.telemetry-path="/metrics"

time=2025-08-05T17:12:59.652+01:00 level=INFO source=exporter.go:126 msg=nginx-prometheus-exporter version="(version=, branch=, revision=460eaad9dfbab5d99f3296acab41d3879b2a0c8b-modified)"
time=2025-08-05T17:12:59.652+01:00 level=INFO source=exporter.go:127 msg="build context" build_context="(go=go1.24.2, platform=darwin/arm64, user=, date=, tags=unknown)"
time=2025-08-05T17:12:59.653+01:00 level=INFO source=tls_config.go:347 msg="Listening on" address=[::]:9116
time=2025-08-05T17:12:59.653+01:00 level=INFO source=tls_config.go:350 msg="TLS is disabled." http2=false address=[::]:9116

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:9116/metrics | grep "nginx_up"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9632    0  9632    0     0  3187k      0 --:--:-- --:--:-- --:--:-- 4703k

# HELP nginx_up Status of the last metric scrape
# TYPE nginx_up gauge
nginx_up 1

exporter test without proxy_protocol:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] ./nginx-prometheus-exporter \                       
  --nginx.scrape-uri="http://127.0.0.1:18081/stub_status" \
  --web.listen-address=":9116" \
  --web.telemetry-path="/metrics" &

time=2025-08-05T17:17:21.632+01:00 level=INFO source=exporter.go:126 msg=nginx-prometheus-exporter version="(version=, branch=, revision=460eaad9dfbab5d99f3296acab41d3879b2a0c8b-modified)"
time=2025-08-05T17:17:21.632+01:00 level=INFO source=exporter.go:127 msg="build context" build_context="(go=go1.24.2, platform=darwin/arm64, user=, date=, tags=unknown)"
time=2025-08-05T17:17:21.633+01:00 level=INFO source=tls_config.go:347 msg="Listening on" address=[::]:9116
time=2025-08-05T17:17:21.633+01:00 level=INFO source=tls_config.go:350 msg="TLS is disabled." http2=false address=[::]:9116

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:9116/metrics | grep "nginx_up"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9630    0  9630    0     0   819k      0 --:--:-- --:--:-- --:--:--  854k

# HELP nginx_up Status of the last metric scrape
# TYPE nginx_up gauge
nginx_up 1

exporter test with proxy_protocol using envvar PROXY_PROTOCOL:

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] PROXY_PROTOCOL=true ./nginx-prometheus-exporter \
  --nginx.scrape-uri="http://127.0.0.1:18080/stub_status" \
  --web.listen-address=":9115" \
  --web.telemetry-path="/metrics" &


time=2025-08-05T17:23:17.459+01:00 level=INFO source=exporter.go:126 msg=nginx-prometheus-exporter version="(version=, branch=, revision=460eaad9dfbab5d99f3296acab41d3879b2a0c8b-modified)"
time=2025-08-05T17:23:17.461+01:00 level=INFO source=exporter.go:127 msg="build context" build_context="(go=go1.24.2, platform=darwin/arm64, user=, date=, tags=unknown)"
time=2025-08-05T17:23:17.462+01:00 level=INFO source=tls_config.go:347 msg="Listening on" address=[::]:9115
time=2025-08-05T17:23:17.462+01:00 level=INFO source=tls_config.go:350 msg="TLS is disabled." http2=false address=[::]:9115

 ~/nginx/kubernetes-ingress/internal/nginx/test prom/ [pr-979] curl http://127.0.0.1:9115/metrics | grep "nginx_up"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9628    0  9628    0     0  2253k      0 --:--:-- --:--:-- --:--:-- 2350k

# HELP nginx_up Status of the last metric scrape
# TYPE nginx_up gauge
nginx_up 1

@pdabelf5
Copy link
Collaborator

pdabelf5 commented Aug 6, 2025

I have verified the tests @vepatel ran

@defanator
Copy link
Member Author

Thanks @vepatel @pdabelf5 for double checking the e2e flows. I did similar testing before submitting this one + a few extras (like UNIX socket listeners).

@pdabelf5 pdabelf5 added this to the v1.5.0 milestone Aug 7, 2025
@pdabelf5 pdabelf5 mentioned this pull request Aug 7, 2025
Open
7 tasks
@danielnginx danielnginx requested a review from Copilot August 14, 2025 12:57
Copilot
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds client-side support for proxy protocol v2 to the nginx-prometheus-exporter, enabling it to work with nginx instances behind load balancers that use proxy protocol. The implementation allows the exporter to prepend proxy protocol headers when connecting to nginx endpoints.

  • Adds a new command-line flag --nginx.proxy-protocol to enable proxy protocol support
  • Implements proxy protocol v2 header generation for TCP (IPv4/IPv6) and Unix socket connections
  • Updates the HTTP transport's DialContext to handle proxy protocol when enabled

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File Description
go.mod Adds dependency on go-proxyproto library v0.8.1
exporter.go Implements proxy protocol v2 client support with conditional dialing logic
README.md Documents the new --nginx.proxy-protocol flag

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

exporter.go

switch addr := remoteAddr.(type) {
case *net.TCPAddr:
if addr.IP.To4() == nil {
Copy link
Preview

Copilot AI Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable name 'addr' shadows the outer 'addr' parameter, which could lead to confusion. The switch should use a different variable name like 'tcpAddr' or 'remoteAddrTyped'.

Suggested change
if addr.IP.To4() == nil {
switch remoteAddrTyped := remoteAddr.(type) {
case *net.TCPAddr:
if remoteAddrTyped.IP.To4() == nil {

Copilot uses AI. Check for mistakes.

exporter.go
_, err = header.WriteTo(conn)
if err != nil {
return nil, fmt.Errorf("writing proxyproto header: %w", err)
}
Copy link
Preview

Copilot AI Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The number of bytes written is being ignored. Consider logging or validating the bytes written to ensure the complete header was sent, or add a comment explaining why this return value is intentionally ignored.

Suggested change
}
n, err := header.WriteTo(conn)
if err != nil {
return nil, fmt.Errorf("writing proxyproto header: %w", err)
}
// Validate that the entire header was written
var buf bytes.Buffer
_, marshalErr := header.WriteTo(&buf)
if marshalErr != nil {
return nil, fmt.Errorf("marshalling proxyproto header for length check: %w", marshalErr)
}
expectedLen := buf.Len()
if n < expectedLen {
return nil, fmt.Errorf("proxyproto header: only %d of %d bytes written", n, expectedLen)
}

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@vepatel vepatel vepatel approved these changes

@AlexFenlon AlexFenlon AlexFenlon approved these changes

@pdabelf5 pdabelf5 pdabelf5 approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file documentation Pull requests/issues for documentation
Projects
NGINX Ingress Controller
Status: In Review 👀
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.
6 participants
@defanator @jjngx @vepatel @pdabelf5 @AlexFenlon @mpstefan