TCP proxying support

[jefferai]

This looks super cool. Wanted to send along a feature request that I think will make it even more useful.

At a previous job, we were using haproxy due to its ability to do not only straight TCP proxying, but straight TCP proxying while honoring the SNI header. This allows the TLS connection to be direct between a client and backend server, rather than having a proxy in the middle decrypt traffic and re-encrypt traffic to the backend. This direct connection is needed to avoid transitive trust issues, and can be especially important if you are required to adhere to various industry conformance standards like PCI.

So my feature request is: please allow straight TCP proxying while honoring the SNI header for routing.

[magiconair]

Transparent TCP proxy support was on my radar at some point but so far I didn't have the use case for it. I want to enhance a couple of other things first so this is not high on my prio list ATM.

Leaving this open as enhancement

[jefferai]

Sounds good. Just remember, when you get around to it, that SNI is a must as it's really the only way to route when doing TCP routing (since mapping ports is just awful)!

+1 Transparent TCP is currently a gaping hole that no one has filled.

edit: To clarify, a transparent TCP proxy that can work with a Consul/Etcd/Mesos/etc natively that can do connection draining.

[jefferai]

@rvm2015 I assume you mean, "within Fabio"? Other services are capable of doing transparent TCP proxying,and have for a long time.

[magiconair]

@rvm2015 What is your use case?

If Fabio had the ability to do TCP as well as HTTP I'd have a reason to put in the work to extend the backend support to include Mesos/Maratho. I'd then be able to replace both Traefik and HAProxy/Mesos-DNS with a single service and greatly simplify my stack.

[magiconair]

@rvm2015 Fabio is an FE-BE router which routes incoming traffic to different BE services based on information in the protocol (i.e. host and/or path from the HTTP request). I get the SNI use case for SSL traffic since I can get the host information and use that for routing information but how would I route an arbitrary incoming TCP stream to a BE service that can handle it? Based on ports? Which protocols are you using where you need raw TCP traffic?

[magiconair]

I think I have a couple of use cases for TCP routing now and the proxy itself is pretty simple. I just need to update the config language and dynamic listener support. First version may not support SNI though but I'm still looking into this.

[doublerebel]

👍

[yingfeng]

Transparent TCP proxy is useful when deploying such services as IM server, RPC services within docker container cloud, given this feature enabled, fabio could be a replacement for HAProxy totally for cloud environment.

[JonathanBennett]

Don't want to be one of those "me too" people but did anyone manage to get anywhere with transparent TCP proxying (with or without SNI)? @magiconair I know above you said you were looking at this?

Is there any WIP we can possibly help commit to if not finished? Else I might take a stab at this, as this is currently the one thing we're missing as we have lots of arbitrary TCP ports which would benefit hugely from fabio / only work through fabio.

Thanks in advance!

[magiconair]

@JonathanBennett The TCP proxy itself is not difficult and I think I have that ready somewhere. Main issue is how to configure the listeners and that they need to start and shutdown automatically which is different from the statically configured HTTP listeners. That also isn't hard but $dayjob and $kids take most of my energy right now.

I'm going to focus on the API for the multiple registries since this is a small change but has lots of potential. Then I'll work on the config change which will enable the strip prefix and weight parameter and also offer the tcp syntax. Then it isn't far from the dynamic listeners. I have some code lying around for that as well but it probably won't merge anymore.

If you want to help you could pick up one of these things. Let me know if you are interested and we can try to figure something out.