Current scenario: - They have a F5 BIG-IP as the external loadbalancer for their OCP cluster and HAProxy router as the default infrastructure router inside the Openshift cluster. - They wanted to limit the client access on some applications so they have implemented the haproxy.router.openshift.io/ip_whitelist, which is working as this is supposed to work. The IP that arrives at the OCP router, it looks at it and applies the acl rule posted by this annotation and in this case the IP address/range from the F5 BIG-IP (which in my opinion makes sense??). https://github.com/openshift/ose/blob/a522829e8bdb88e7708577ac28775d4aba7bb1c9/images/router/haproxy/conf/haproxy-config.template # Secure backend, pass through backend be_tcp:{{$cfgIdx}} {{- if ne (env "ROUTER_SYSLOG_ADDRESS") ""}} option tcplog {{- end }} {{- with $balanceAlgo := firstMatch "roundrobin|leastconn|source" (index $cfg.Annotations "haproxy.router.openshift.io/balance") (env "ROUTER_LOAD_BALANCE_ALGORITHM") }} balance {{ $balanceAlgo }} {{- else }} balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}source{{ end }} {{- end }} {{- with $ip_whiteList := firstMatch $cidrListPattern (index $cfg.Annotations "haproxy.router.openshift.io/ip_whitelist") }} acl whitelist src {{$ip_whiteList}} tcp-request content reject if !whitelist {{- end }} {{- with $value := firstMatch $timeSpecPattern (index $cfg.Annotations "haproxy.router.openshift.io/timeout")}} timeout tunnel {{$value}} {{- end }} Request (issue) from the customer: - They were trying to use only the IP from the client trying to access the application on Openshift and the access was denied. When using the IP coming from the F5 on the annotation it started to work again. I've explained that this is the normal taking in consideration the code above. - They tried to use the XFF header to carry the IP of the client and enabled this feature on the F5 as well, but still doesn't work, which I assume is normal because the ACL implemented listens to source CIDR addresses, so it always takes in consideration the address space coming from the F5.
Would it make sense to enable proxy protocol support in the F5 and the router so that the source IP address is sent that way and then haproxy will view the IP address that was passed over the proxy protocol as the source?