Commit 739737b9 authored by Stan Hu's avatar Stan Hu
Browse files

Add PROXY support to gitlab-shell container

This commit adds a new container, `gitlab-shell-libproxyproto`, that
supports the PROXY protocol
(https://developers.cloudflare.com/spectrum/proxy-protocol) via
libproxyproto (https://github.com/msantos/libproxyproto). This allows
the SSH server to get the real client IP instead of the IP of the load
balancer.

By default, the PROXY protocol is not enforced. This can be enabled in
the Helm Chart via this config:

```yaml
gitlab:
  gitlab-shell:
    enabled: true
    extraEnv:
      LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER: 1
```

Debugging can be enabled via `LIBPROXYPROTO_DEBUG: 1`.

Relates to https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/425
parent ee6dc58b
......@@ -974,6 +974,21 @@ gitlab-shell:
- build:gitlab-gomplate
- build:gitlab-shell
gitlab-shell-libproxyproto:
<<: *job-base
<<: *except-deps
stage: phase-five
script:
- export DOCKERFILE_EXT
- export IMAGE_TAG_EXT
- export shell_container=$(cat artifacts/shell_container.txt)
- build_if_needed --build-arg "TAG=$shell_container${IMAGE_TAG_EXT}"
- push_tags gitlab-$GITLAB_REF_SLUG${IMAGE_TAG_EXT} # This can be removed during https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/1553
- push_tags $GITLAB_SHELL_VERSION${IMAGE_TAG_EXT}
dependencies:
- gitlab-shell
- build:gitlab-shell
build:git-base:
<<: *build-job-base
stage: prepare:phase-one
......
ARG CI_REGISTRY_IMAGE="registry.gitlab.com/gitlab-org/build/cng"
ARG FROM_IMAGE="$CI_REGISTRY_IMAGE/gitlab-shell"
ARG TAG="master"
FROM ${FROM_IMAGE}:${TAG} as shell
USER root
# From https://gitlab.com/gitlab-com/gl-infra/openssh-patches/-/releases/v0.1.0
RUN cd /tmp && \
curl --retry 6 -o openssh-client.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/4c4385c098a459689c4b97db0d0a14f8/openssh-client_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
curl --retry 6 -o openssh-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
curl --retry 6 -o openssh-sftp-server.deb https://gitlab.com/gitlab-com/gl-infra/openssh-patches/uploads/520bba5376bef780cfd0c7ccefd4338d/openssh-sftp-server_7.9p1-10+deb10u2+gitlab+openssh79+8c55f4e4+1_amd64.deb && \
dpkg -i openssh-client.deb openssh-server.deb openssh-sftp-server.deb && \
rm openssh-client.deb openssh-server.deb openssh-sftp-server.deb
### gitlab-shell with PROXY support
This image is based off the gitlab-shell image but adds [PROXY protocol](https://developers.cloudflare.com/spectrum/proxy-protocol) support via [libproxyproto](https://github.com/msantos/libproxyproto).
The Debian and Ubuntu patches to support this can be found in [this
repository](https://gitlab.com/gitlab-com/gl-infra/openssh-patches).
#### Configuration varaibles
See [the list of environment variables](https://github.com/msantos/libproxyproto#environment-variables)
that can be used.
#### Quick start
To enforce, PROXY v2 protocol, set:
```yaml
LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER: 1
LIBPROXYPROTO_VERSION: 2
```
To test this image with debug logging:
```sh
docker run -e LIBPROXYPROTO_MUST_USE_PROTOCOL_HEADER=1 -e LIBPROXYPROTO_DEBUG=1 -it -v /run/sshd:/run/sshd -p 2222:2222 registry.gitlab.com/gitlab-org/build/cng/gitlab-shell-libproxyproto
```
This will start up an OpenSSH server with PROXY support on port 2222.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment