How to set a proxy device for a container with proxy_protocol enabled?


(Hw Siew) #1

I am trying to set a proxy device for a container with proxy_protocol enabled using the command below.
lxc config device add c1 http proxy listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80 proxy_protocol=true

However, it shows an error
Error: Invalid device configuration key for proxy: proxy_protocol

Am i missing something else or what should be the proper way to set proxy_protocol.

Thanks for your advice.


#2

Since it says “Invalid key”, then most likely you are using an older version of LXD? I think proxy_protocol first appeared in LXD 3.3.

Also, proxy_protocol is about conveying the source IP address to your Web server in the containers. Without that, the containers would appear to get connections from just a single IP, the IP of LXD.


(Hw Siew) #3

Hi, thanks for the advice.

Yup that’s right. I am using 3.0.1.

I am confuse about the lxd version. one is 3.0.1/3.02 and there are 3.3/3.4.

What are the differences?


#4

The LTS editions of Ubuntu like 18.04 come with a Deb package of LXD, and that version is 3.0.x. It is supported until 2018+5years=2023. It does not get new features but does get security updates and bug fixes.

On the other hand, you can migrate to the snap package of LXD, currently at version 3.4. Also supported but you get upgrading to new versions as they come along. Here you get new features.

If you want to stick to the Deb package of LXD, you can do what you need by using iptables rules and configuring appropriately the containers to keep the source IP address. Ask if you need further assistance with that.


(Hw Siew) #5

Hi Simos,

Thank you so much for your detail explanations. Previously i was using iptables to forward traffic to one of my haproxy container. The proxy device of lxd seems to be providing a cleaner way. So, i tried to change the way of routing traffic using that. Any pros and cons using the proxy device of container over iptables?

You are very helpful. Very much appreciated :wink:


#6

If you have to retain the source IPs of the connections with the proxy device, you need to upgrade to the snap package of LXD, then migrate your LXD installation by running lxd.migrate. Finally, you need to enable the PROXY protocol support in both HAProxy and the container web servers. This works and I have tried it. However it is quite new that you may not find a guide about it and you may need to experiment first before setting up for production.