ADR008: Haproxy for request rewriting
We want to serve HSTS headers for all HTTPS requests to the apps domains, but it will safeguard existing users from being MITMed over insecure connections and it will improve the user experience when they click on a hostname that doesn’t have a protocol. (Note that without pre-loading in browsers this won’t help first time users, but that is out of context)
We want to leave open the option of able to override these headers from the tenant application if they wish.
This feature requires conditionally process and modify the request headers. There are several possible implementations:
- Implement the logic in the
goroutershall process and add the header if required, by:
- Supporting the specific HSTS headers, and allowing configure some sort of behaviour and default value.
- Allow inject any additional header if they are missing.
does not support any of these features, which require being added.
Add some intermediate proxy (for example nginx, haproxy) in front of the go-routers and after the ELB.
Implement it in a external CDN in front of PaaS origin (PaaS LB entry point): All the commercial CDN have the capacity to add additionally headers conditionally.
AWS ELB: They do not support this logic and will not in the short term. In consequence they cannot be used to solve this problem.
We do not want to add any additional logic in the CDN, as they will be an optional part of the platform and we will try to keep as simple as possible.
We consider that the optional solution would be implement this logic in
gorouter, but that requires some development effort and a PR being merged
Because that we will implement, in the short term, the second option: a proxy
in front of the
We will implement HAproxy in front of the go router.
- Ha-proxy is the default LB solution for the official CF distribution.
- It is really powerful and has good support.
- Enough features to cover our needs.
It will be setup colocated with the
gorouter, proxying directly to localhost.
We will do SSL termination in HAProxy, and plain text to
gorouter. This is OK as the two services are colocated in the same VM.
We will reuse the code from official haproxy job from cf-release, although we will have to fork it to add additional settings in the haproxy configuration.
- We will implement and propose a PR to add logic in go-router to allow define additional headers.
We will be able to easily add more logic to rewrite the HTTP communication to the applications using HAProxy.
HAProxy SSL termination has better performance than
gorouter, although this has a low impact because ELB is terminating the end user connections and using keep alive connections to the gorouter/haproxy.
HAProxy supports web-sockets and does HTTP multiplexing.
We can implement HTTP => HTTPS redirect in HAProxy.
Adds some additional latency to every request.
We have to maintain our custom haproxy release.
Another moving part to monitor and take into account.