- Newest
- Most votes
- Most comments
Hello,
When you disable target group attribute "proxy_protocol_v2.enabled", it can take up to ~120 seconds for the new attribute value to be applied. So you should no longer see NLB inserting proxy protocol headers to new connections after ~2 minutes of updating the target group.
Also proxy protocol headers are only exchanged at the start of a new connection so any proxy protocol information that was exchanged remains valid throughout the lifetime of the connection. Long lived connections will then still have proxy protocol attributes associated with them while all new connections formed after disabling proxy protocol will no longer have proxy protocol attributes associated with it.
With TCP listeners, the load balancer prepends a proxy protocol header to the TCP data. It does not discard or overwrite any existing data, including any incoming proxy protocol headers sent by the client or any other proxies, load balancers, or servers in the network path [1], so we should make sure the host communicating with the NLB is not inserting its own PPv2 headers.
You should also check, if the target instance registered to NLB where you had disabled 'proxy protocol v2' are not registered to any other NLB’s Target Group that may still have PPv2 enabled.
To look into the issue and confirm if NLB is still inserting PPv2 information to new connection, even after disabling PPv2 we would need to review NLB and the packet capture from target instance.
Keeping in mind your data privacy, you can open a technical support case with AWS using the link [2] and share packet capture of targets attached to NLB which provides details regarding PPv2 information being inserted to new connection even after disabling "proxy protocol v2" attribute. Upon checking the corresponding resources, AWS Premium Support engineers will be able to provide insights and assist you accordingly.
[2] AWS Support Center - https://console.aws.amazon.com/support
Relevant content
- asked 2 years ago
- Accepted Answerasked 5 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thank you. "proxy protocol headers are only exchanged at the start of a new connection so any proxy protocol information that was exchanged remains valid throughout the lifetime of the connection." is probably the symptom I was seeing. Although I was seeing that using UDP and UDP is technically "connectionless", it probably probably remained active with some keep alive because devices communicated every minute. Only by forcefully cutting the link (killing the receiving nginx pods) was I able to stop it.
I can confirm there was no other nlb or target group and that the host was not inserting their own headers. Unfortunately I do not have the infrastructure in place with the capabilities to easily do a packet capture on my target instance (which is a kubernetes pod).
In any case, for my personal situation I won't have to switch this setting regularly so this is not an issue anymore. I just wanted to report the behavior since it was not something I was expecting. It created service outage only for some specific incoming connections, and caused headaches trying to diagnose the cause.