Code development platform for open source projects from the European Union institutions 🔵 EU Login authentication by SMS will be completely phased out by mid-2025. To see alternatives please check here

Skip to content

New RPS architecture

David Jose DELASSUS requested to merge new-arch into main

Decision Record

The ACL feature needs to know the real Client IP address, but at the moment we only get the Traefik container IP address.

Here is the current architecture:

rps-before

  • the Traefik forwards the TCP packets to the WAF layer (or the Proxy layer if WAF is disabled), changing the source IP of the packet
  • the WAF does SSL Termination and then proxies the requests to the Proxy itself, also in TLS
  • the Proxy does SSL Termination, just in case the WAF is disabled

To communicate the real Client IP address, we need Traefik to wrap the TCP packets in an envelope, using the PROXY protocol. The next layer MUST know that it is receiving packets wrapped in the PROXY protocol. However, doing so with the NGINX FOSS is not trivial.

Let's allow disabling the WAF at the Apache2 layer. Have it decode the PROXY Protocol, do SSL termination, and let NGINX fall back to plain HTTP and never receive TCP packets from Traefik ever again.

Here is the updated architecture:

rps-after

NB: We should cut in half the SSL handshakes as well, which should improve performance.

Caddy (for the Coraza WAF) does not support the PROXY protocol if we are not using the JSON configuration file. Since Coraza does not support websocket either, it's just becoming a hassle to support, so let's remove it as well.

Changes

  • 💥 🔥 Remove Caddy+Coraza support
  • 🔧 NGINX listens in HTTP, not HTTPS anymore
  • 🔥 Remove ACME related settings from NGINX module
  • 🔧 Enable PROXY protocol in Apache2+ModSecurity module
  • 🔧 Add ACME challenge related configuration
  • 🔖 v0.11.0

Merge request reports

For further information about the platform and support, please see https://code.europa.eu/info/about