From c90c870727dff70181d965a40cc52b119deb36e6 Mon Sep 17 00:00:00 2001 From: Esa Korhonen Date: Thu, 27 Apr 2017 13:54:46 +0300 Subject: [PATCH] Add proxy protocol setting documentation --- .../Getting-Started/Configuration-Guide.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index bedd8a7b3..4d86b0eee 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -970,6 +970,24 @@ closed. For more information about persistent connections, please read the [Administration Tutorial](../Tutorials/Administration-Tutorial.md). +#### `use_proxy_protocol` + +If `use_proxy_protocol` is set to `yes`, MaxScale will send a proxy protocol +header when connecting client sessions to the server. The header contains the +original client IP address and port, as seen by MaxScale. The server will then +read the header and perform authentication as if the connection originated from +this address instead of the MaxScale IP address. With this feature, the user +accounts on the backend server can be simplified to only contain the actual +client hosts and not the MaxScale host. + +Currently, using this feature is unpractical due to the restrictiveness of the +proxy protocol. The protocol requires that *all* connections from proxy enabled +addresses must send a valid proxy header. MaxScale has other connections to the +servers in addition to client sessions, e.g. monitors, and the server will +refuse these due to the lack of the header. To bypass this restriction, the +server monitor needs to be disabled and the service listener needs to be +configured to disregard authentication errors (`skip_authentication=true`). + ### Server and SSL This section describes configuration parameters for servers that control the