Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22798

proxy-protocol-networks not working since migration in Mariadb 10.4.13

    XMLWordPrintable

    Details

      Description

      Dear All,

      Since I migrated from Mariadb 10.3.22 to 10.4.13, I get some regression with the use of proxy-protocol-networks.
      Haproxy doesn't see any mysql backend alive anymore and my "clienthost" cannot authenticate themselves in Mariadb based on their IP.
      On mariadb's side I tried the following things

      • proxy-protocol-networks = 172.16.42.0/24, localhost
      • proxy-protocol-networks = *
      • proxy-protocol-networks = 172.16.42.8, 172.16.42.9, 172.16.42.10, localhost

      and on haproxy's side :

      backend mygalera
              balance leastconn
              mode tcp
              option tcpka
              option tcplog
              option log-health-checks
              retries 3
              option mysql-check user haproxy
              server myglra1 172.16.42.21:3306 check weight 1 send-proxy-v2
              server myglra2 172.16.42.22:3306 check weight 1 send-proxy-v2
              server myglra3 172.16.42.23:3306 check weight 1 send-proxy-v2
      

      I also tried with "send-proxy"

      On haproxy I get the following logs

      May 27 10:10:21 haproxy001 haproxy[2958]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
      May 27 10:10:21 haproxy001 haproxy[2958]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
      May 27 10:31:53 haproxy001 haproxy[3056]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 1ms, status: 0/2 DOWN.
      May 27 10:31:53 haproxy001 haproxy[3056]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 1ms, status: 0/2 DOWN.
      May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra2 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
      May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra2 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
      May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra3 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2ms, status: 0/2 DOWN.
      May 27 10:31:54 haproxy001 haproxy[3056]: Health check for server mygalera/myglra3 failed, reason: Layer7 wrong status, code: 0, info: "#HY000Proxy header is not accepted from 172.16.42.9", check duration: 2
      

      and after a while I get the followinf error for each of my galera's nodes

      May 28 10:07:22 haproxy001 haproxy[4028]: Health check for server mygalera/myglra1 failed, reason: Layer7 wrong status, code: 0, info: "Host '172.16.42.9' is blocked because of many connection errors; unbloc
      k with 'mysqladmin flush-hosts'", check duration: 3ms, status: 0/2 DOWN.
      

      On my galera's nodes I get following errors repeating till the source ip is blocked

      May 28 10:51:01 myglra001 mysqld[19634]: 2020-05-28 10:51:01 2144 [Warning] Aborted connection 2144 to db: 'unconnected' user: 'unauthenticated' host: '172.16.42.9' (This connection closed normally without authentication)
      

      All of this leads to all backend seen as down.
      I had a some test being done on a maxscale node and the behaviour/results are the same as haproxy (no live backend seen)
      I was using proxy_protocol=true in my servers' definition in maxscale.cnf

      If I skip all these proxy configuration things and create users in mariadb on haproxy's ips everything is working fine, but i lose the client IP.

      Regards

        Attachments

          Activity

            People

            Assignee:
            wlad Vladislav Vaintroub
            Reporter:
            darknico84 Nicolas PEYRESAUBES
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: