Proxy protocol support

[Digos]

The Goal
 

The proxy protocol comes to provide high availability to the RO servers by placing the server behind Load Balancers but preserving the ability of keep the user real ip address.

 

By using load balancers it's possible to protect against DDoS attacks, create custom hops to improve the route, even create a distributed network over the globe and many others possibilities.

 
How It Works
 

The Proxy Protocol was designed to chain proxies / reverse-proxies without losing the client information.

A proxy will use its own IP stack to get connected on remote servers. Because of this, we lose the initial TCP connection information like source and destination IP and port when a proxy in involved in an architecture.
 
A few workarounds exist, but the problem of these workarounds is that they are either protocol related or require architecture changes, preventing scalability.
 
That’s where the proxy-protocol comes in:

• it is protocol agnostic (can work with any layer 7 protocols, even when encrypted).
• it does not require any infrastructure changes
• nat-ing firewalls have no impact it
• it is scalable

The is only one condition: both endpoints of the connection MUST be compatible with proxy protocol. This could be either proxies, reverse-proxies, load-balancers, WAF, application servers, etc….


Proxy-protocol ready softwares

The list below summarizes which software have already implemented the proxy protocol:
Elastic Load Balancing, since July 2013, AWS’ Load-Balancer
exaproxy, since 1.0.0, forward and reverse proxy
exim, since 4.83, client side only, SMTP MTA
gunicorn, since 0.15.0, python HTTP server
haproxy, since 1.5-dev3, reverse-proxy load-balancer
nginx, since 1.5.12 in HTTP server client side only, Web server, HTTP + Mail reverve-proxy
postfix, since 2.10, SMTP MTA
stud, since the first release, SSL offloader
stunnel, since 4.45, SSL offloader


Proxy protocol documentation

The description of the protocol by Willy, HAProxy developer: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

And a few articles speaking about the subject:
http://blog.haproxy.com/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/

 

 

What do you think about it?

[anacondaq]

confirm.

Up this topic.

Edited April 23, 2015 by Anacondaqq

[anacondaq]

Hi Dear Digos, after few months, i got the answers a lot, your problem is the similar as yours, and i found a ways to solve it at network level without modify client and server-side. From the box we have all what we need (proxy diff at client) and binding the emulator to all interfaces.

 

By using load balancers it's possible to protect against DDoS attacks, create custom hops to improve the route, even create a distributed network over the globe and many others possibilities.

 

My idea was about "if you recieve ddos, automaticly replace player to another live host". But after long testing with hiring some network engeneirs i got simple answer: with tcp it's imposible to do.

 

BUT!

 

 

The proxy protocol comes to provide high availability to the RO servers by placing the server behind Load Balancers but preserving the ability of keep the user real ip address.

 

You can do that with GRE / IPIP Tunnels and advanced routing policy. Ragnarok Online exe support it, and it works well:

 

Game Host: 50.50.50.50

PlayerIP: 60.60.60.60

GRE1, IP 1.1.1.1

GRE2, IP 2.2.2.2

GRE3, IP 3.3.3.3

 

60.60.60.60 -> 1.1.1.1 -> 50.50.50.50 with saving 60.60.60.60 -> OK

60.60.60.60 -> 2.2.2.2 -> 50.50.50.50 with saving 60.60.60.60 -> OK

60.60.60.60 -> 3.3.3.3 -> 50.50.50.50 with saving 60.60.60.60 -> OK

 

So, just google about it. Sorry for stupid answer, but there is nothing to do with rAthena, because this feature is available out the box, and request advanced network education. (it's already work on my projects very fine).

 

About DDOS Protection:

There is the end of the DDoS attacks at 2015 & 2016. The peak were at 2012 - 2014.

The ddos attacks related to cogent (they sell a very big uplinks for very cheap price, for now they do not sell it anymore after a lot of abuse).

Each online shit which can generate up to 60-70 Gbit/s at 2012 - 2014, and at early 2015 at nowdays can generate maximum 190.000 pps at UDP & 120k pps at TCP. You can avoid it with syncookies + some of the cheap DDoS protected server by hard limiting protocols to your server.

 

Sorry, this is not bla bla bla from me, i have a projects where i got attacks very big for every week to destroy my project, and i tried a lot of things since 2012...