[RfE] Support PROXY protocol Header for TCP/SSL

Fix proposed to branch: master
Review: https://review.openstack.org/458755

Reviewed: https://review.openstack.org/458755
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=7100872ddb56397e4e9414ffeb17663ca54dc5d0
Submitter: Jenkins
Branch: master

commit 7100872ddb56397e4e9414ffeb17663ca54dc5d0
Author: cheng <email address hidden>
Date: Fri Apr 21 03:20:33 2017 -0400

    Add new PROXY protocol to lbaas pool

    This patch enable configure PROXY protocol informs to backend
    server about the lay 3/4 address of the incoming connections.

    Close-Bug: #1677987

    Change-Id: Idc9a5718dddbaaaec251c9a0673c74e4132c5f54
    Signed-off-by: cheng <email address hidden>

Hey,

I just saw the way you chose to implement this and I don't agree that "PROXY" should be an additional protocol for the user to choose from. "PROXY" is not a protocol that the LB actually balances. It is the protocol used to exchange certain information between LB and the loadbalanced servers.

Users care about the protocol that is being loadbalanced, in particular if it is Layer 7 (HTTP/HTTPs), so they can define rules based on headers, routes, etc. or Layer 4 (TCP), so they can't do those things. They care about termination of SSL. They care about knowing where the request came from originally.

The additional issue of communicating to downstream servers who the source of the actual request was, before it went through the LB is solved in different ways. Layer 7 loadbalancers can add headers to do this, they are enabled by default in octavia and there isn't even the option to turn this off. Layer 4 loadbalancers don't have a way to communicate this (currently), and the standard to do this is via the PROXY protocol.

In my opinion, this should either be an option on TCP loadbalancers to enable PROXY protocol, or even leave out the option and do it on default.

Wdyt?

@Marco,
I'm not sure if I understand the issues you're mentioning...

Firstly:
> Layer 7 loadbalancers can add headers to do this, they are enabled by default in octavia and there isn't even the option to turn this off.

This isn't true. The X-Forward-For / X-Forward-Port headers are configurable.
https://developer.openstack.org/api-ref/load-balancer/v2/#header-insertions

Second, as far as I understand it, PROXY "protocol" is independent of whatever is in a TCP stream (but still uses TCP, just inserts a header in the connection initiator, per this doc: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) and thusly is equivalent to TCP in every other way. So, could it be a flag on TCP? Sure. But, is it bad to do it this way? I don't think so -- you need to understand the implications of PROXY to use it (the listening service needs to be configured to understand it) and therefore you should be aware that PROXY just means TCP+PROXY_Header.

Third, going back to this:
>"PROXY" is not a protocol that the LB actually balances. It is the protocol used to exchange certain information between LB and the loadbalanced servers.

That's correct -- and there is a difference between the protocol on a Listener (the protocol being balanced) and the protocol on the Pool (the protocol used between the LB and the members). PROXY is only valid and accepted for the latter.

I just don't understand the issue here. Nothing is hidden from the user, and I am not clear on how the user is prohibited from doing anything they want to do with their LB because they choose to use "PROXY" as the Pool protocol in the way we've implemented it. If I'm missing something, I'd love to discuss the issue on IRC, feel free to drop by #openstack-lbaas on Freenode!

Abandoned after re-enabling the Octavia launchpad.