Details
Major Description
Hi,
proxy_protocol_networks does not seem to work properly in my setup. I have one working setup, and one non-working setup. The setups are equal, except hostnames and IP-addresses.
Working setup;
- db-demo-01 (172.20.20.61)
- db-demo-02 (172.20.20.62)
- db-demo-02 (172.20.20.62)
- db-demo-ha01 (172.20.20.28)
- db-demo-ha02 (172.20.20.29)
Non-working setup:
- db-prod-01 (172.20.20.71)
- db-prod-02 (172.20.20.72)
- db-prod-02 (172.20.20.72)
- db-prod-ha01 (172.20.20.38)
- db-prod-ha02 (172.20.20.39)
All hosts are running Ubuntu 18.04.2 LTS. All within the same subnet (172.20.20.0/24). All ha*-nodes are running haproxy. The non-ha-nodes are running MariaDB Galera cluster.
I have the following in my.cnf on all MariaDB nodes;
proxy_protocol_networks=::1, 127.0.0.1, localhost, 172.20.20.0/24
|
A snippet of the haproxy.cfg;
server db-demo-01 db-demo-01.example.com:3306 check send-proxy-v2
|
The Proxy Protocol works as expected on the 'demo' cluster. However, on the 'prod' cluster, having the exact same configuration (including the proxy_protocol_networks config above), haproxy cannot connect, complaining as following;
Server mysql_cluster/db-prod-01 is DOWN, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.20.20.38", check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
That IP is within the 172.20.20.0/24 range specified. If I explicitly list the IP (without CIDR notation) in the config, it works as expected;
proxy_protocol_networks=::1, 127.0.0.1, localhost, 172.20.20.0/24, 172.20.20.38, 172.20.20.39
|
The order of the 172.20.20.0/24 does not matter (i.e. it's not because it was bad parsing due to being the last entry in the list, or similar).
Attachments
Activity
Same problem on a MariaDB 10.3.20 server behind HAProxy 2.0.9 with Proxy Protocol setup (send-proxy-v2)
HAProxy (10.66.7.54) => MariaDB (10.66.7.34)
|
So the subnet mask is /24 (255.255.255.0)
Setting exact IP is ok 
SET GLOBAL proxy_protocol_networks = '10.66.7.54/32';
Setting /19 mask is ok
SET GLOBAL proxy_protocol_networks = '10.66.0.0/19';
Setting /24 netmask is NOT OK 
(although it should work)
SET GLOBAL proxy_protocol_networks = '10.66.7.0/24';
It seems that the network mask is miscalculated.
Specifically, I noticed that setting netmask /24 with IP between 10.66.7.0 and 10.66.7.31 does not work for my setup, but works with an ip >= 10.66.7.32
SET GLOBAL proxy_protocol_networks = '10.66.7.30/24';
SET GLOBAL proxy_protocol_networks = '10.66.7.31/24';
SET GLOBAL proxy_protocol_networks = '10.66.7.32/24';
SET GLOBAL proxy_protocol_networks = '10.66.7.33/24';
...
I have the same problem.
I have
In server.cnf on both clusters. And my haproxy config is
# This file managed by Puppetglobalchroot /var/lib/haproxydaemongroup haproxypidfile /var/run/haproxy.pidstats socket /var/lib/haproxy/statsuser haproxydefaultslog globaloption redispatchstats enabletimeout http-request 10stimeout queue 1mtimeout connect 10stimeout client 1mtimeout server 1mtimeout check 10slisten mariadb00-536167aa-79a7-4ccc-9c39-48e8ad4ab481balance roundrobinoption tcpkaoption mysql-check user haproxyThe above cluster works but the following config does not
# This file managed by Puppetglobalchroot /var/lib/haproxydaemongroup haproxypidfile /var/run/haproxy.pidstats socket /var/lib/haproxy/statsuser haproxydefaultslog globaloption redispatchstats enabletimeout http-request 10stimeout queue 1mtimeout connect 10stimeout client 1mtimeout server 1mtimeout check 10slisten mariadb00-5c7ca51f-bf0e-4ae9-84c8-96c08f58aeffbalance roundrobinoption tcpkaoption mysql-check user haproxyThe only thing different is the IP addresses. Note that if I set the proxy_protocol_networks to "*" then it works fine in either case.