Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19669

proxy_protocol_networks does not evaluate/parse properly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.3.15
    • Fix Version/s: 10.3.21, 10.4.11, 10.5.1
    • Component/s: Server
    • Labels:
    • Environment:
      Ubuntu 18.04.2 LTS, MariaDB-1:10.3.15+maria~bionic

      Description

      Hi,

      proxy_protocol_networks does not seem to work properly in my setup. I have one working setup, and one non-working setup. The setups are equal, except hostnames and IP-addresses.

      Working setup;

      • db-demo-01 (172.20.20.61)
      • db-demo-02 (172.20.20.62)
      • db-demo-02 (172.20.20.62)
      • db-demo-ha01 (172.20.20.28)
      • db-demo-ha02 (172.20.20.29)

      Non-working setup:

      • db-prod-01 (172.20.20.71)
      • db-prod-02 (172.20.20.72)
      • db-prod-02 (172.20.20.72)
      • db-prod-ha01 (172.20.20.38)
      • db-prod-ha02 (172.20.20.39)

      All hosts are running Ubuntu 18.04.2 LTS. All within the same subnet (172.20.20.0/24). All ha*-nodes are running haproxy. The non-ha-nodes are running MariaDB Galera cluster.

      I have the following in my.cnf on all MariaDB nodes;

      proxy_protocol_networks=::1, 127.0.0.1, localhost, 172.20.20.0/24
      

      A snippet of the haproxy.cfg;

      server db-demo-01 db-demo-01.example.com:3306  check send-proxy-v2
      

      The Proxy Protocol works as expected on the 'demo' cluster. However, on the 'prod' cluster, having the exact same configuration (including the proxy_protocol_networks config above), haproxy cannot connect, complaining as following;

      Server mysql_cluster/db-prod-01 is DOWN, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.20.20.38", check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

      That IP is within the 172.20.20.0/24 range specified. If I explicitly list the IP (without CIDR notation) in the config, it works as expected;

      proxy_protocol_networks=::1, 127.0.0.1, localhost, 172.20.20.0/24, 172.20.20.38, 172.20.20.39
      

      The order of the 172.20.20.0/24 does not matter (i.e. it's not because it was bad parsing due to being the last entry in the list, or similar).

        Attachments

          Activity

            People

            Assignee:
            wlad Vladislav Vaintroub
            Reporter:
            jocke Joachim Tingvold
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: