276 lines
8.1 KiB
Groff
276 lines
8.1 KiB
Groff
.\" generated with Ronn/v0.7.3
|
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
|
.
|
|
.TH "COREDNS\-PROXY" "7" "April 2018" "CoreDNS" "CoreDNS plugins"
|
|
.
|
|
.SH "NAME"
|
|
\fIproxy\fR \- facilitates both a basic reverse proxy and a robust load balancer\.
|
|
.
|
|
.SH "DESCRIPTION"
|
|
The proxy has support for multiple backends\. The load balancing features include multiple policies, health checks, and failovers\. If all hosts fail their health check the proxy plugin will fail back to randomly selecting a target and sending packets to it\.
|
|
.
|
|
.SH "SYNTAX"
|
|
In its most basic form, a simple reverse proxy uses this syntax:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
proxy FROM TO
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBFROM\fR is the base domain to match for the request to be proxied\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBTO\fR is the destination endpoint to proxy to\.
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
However, advanced features including load balancing can be utilized with an expanded syntax:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
proxy FROM TO\.\.\. {
|
|
policy random|least_conn|round_robin|sequential
|
|
fail_timeout DURATION
|
|
max_fails INTEGER
|
|
health_check PATH:PORT [DURATION]
|
|
except IGNORED_NAMES\.\.\.
|
|
spray
|
|
protocol [dns [force_tcp]|https_google [bootstrap ADDRESS\.\.\.]|grpc [insecure|CACERT|KEY CERT|KEY CERT CACERT]]
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBFROM\fR is the name to match for the request to be proxied\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBTO\fR is the destination endpoint to proxy to\. At least one is required, but multiple may be specified\. \fBTO\fR may be an IP:Port pair, or may reference a file in resolv\.conf format
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBpolicy\fR is the load balancing policy to use; applies only with multiple backends\. May be one of random, least_conn, round_robin or sequential\. Default is random\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBfail_timeout\fR specifies how long to consider a backend as down after it has failed\. While it is down, requests will not be routed to that backend\. A backend is "down" if CoreDNS fails to communicate with it\. The default value is 2 seconds ("2s")\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBmax_fails\fR is the number of failures within fail_timeout that are needed before considering a backend to be down\. If 0, the backend will never be marked as down\. Default is 1\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBhealth_check\fR will check \fBPATH\fR (on \fBPORT\fR) on each backend\. If a backend returns a status code of 200\-399, then that backend is marked healthy for double the healthcheck duration\. If it doesn\'t, it is marked as unhealthy and no requests are routed to it\. If this option is not provided then health checks are disabled\. The default duration is 4 seconds ("4s")\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBIGNORED_NAMES\fR in \fBexcept\fR is a space\-separated list of domains to exclude from proxying\. Requests that match none of these names will be passed through\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBspray\fR when all backends are unhealthy, randomly pick one to send the traffic to\. (This is a failsafe\.)
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBprotocol\fR specifies what protocol to use to speak to an upstream, \fBdns\fR (the default) is plain old DNS, and \fBhttps_google\fR uses \fBhttps://dns\.google\.com\fR and speaks a JSON DNS dialect\. Note when using this \fBTO\fR will be ignored\. The \fBgrpc\fR option will talk to a server that has implemented the DnsService \fIhttps://github\.com/coredns/coredns/blob/master/pb/dns\.proto\fR\.
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.SH "POLICIES"
|
|
There are four load\-balancing policies available: * \fBrandom\fR (default) \- Randomly select a backend * \fBleast_conn\fR \- Select the backend with the fewest active connections * \fBround_robin\fR \- Select the backend in round\-robin fashion * \fBsequential\fR \- Select the first available backend looking by order of declaration from left to right * \fBfirst\fR \- Deprecated\. Use sequential instead
|
|
.
|
|
.P
|
|
All polices implement randomly spraying packets to backend hosts when \fIno healthy\fR hosts are available\. This is to preeempt the case where the healthchecking (as a mechanism) fails\.
|
|
.
|
|
.SH "UPSTREAM PROTOCOLS"
|
|
Currently \fBprotocol\fR supports \fBdns\fR (i\.e\., standard DNS over UDP/TCP) and \fBhttps_google\fR (JSON payload over HTTPS)\. Note that with \fBhttps_google\fR the entire transport is encrypted\. Only \fIyou\fR and \fIGoogle\fR can see your DNS activity\.
|
|
.
|
|
.TP
|
|
\fBdns\fR
|
|
uses the standard DNS exchange\. You can pass \fBforce_tcp\fR to make sure that the proxied connection is performed over TCP, regardless of the inbound request\'s protocol\.
|
|
.
|
|
.TP
|
|
\fBgrpc\fR
|
|
extra options are used to control how the TLS connection is made to the gRPC server\.
|
|
.
|
|
.IP "\(bu" 4
|
|
None \- No client authentication is used, and the system CAs are used to verify the server certificate\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBinsecure\fR \- TLS is not used, the connection is made in plaintext (not good in production)\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBCACERT\fR \- No client authentication is used, and the file \fBCACERT\fR is used to verify the server certificate\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBKEY\fR \fBCERT\fR \- Client authentication is used with the specified key/cert pair\. The server certificate is verified with the system CAs\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBKEY\fR \fBCERT\fR \fBCACERT\fR \- Client authentication is used with the specified key/cert pair\. The server certificate is verified using the \fBCACERT\fR file\.
|
|
.
|
|
.IP "" 0
|
|
|
|
.
|
|
.TP
|
|
\fBhttps_google\fR
|
|
bootstrap \fBADDRESS\.\.\.\fR is used to (re\-)resolve \fBdns\.google\.com\fR\.
|
|
.
|
|
.IP
|
|
This happens every 300s\. If not specified the default is used: 8\.8\.8\.8:53/8\.8\.4\.4:53\. Note that \fBTO\fR is \fIignored\fR when \fBhttps_google\fR is used, as its upstream is defined as \fBdns\.google\.com\fR\.
|
|
.
|
|
.SH "METRICS"
|
|
If monitoring is enabled (via the \fIprometheus\fR directive) then the following metric is exported:
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBcoredns_proxy_request_duration_seconds{server, proto, proto_proxy, family, to}\fR \- duration per upstream interaction\.
|
|
.
|
|
.IP "\(bu" 4
|
|
\fBcoredns_proxy_request_count_total{server, proto, proto_proxy, family, to}\fR \- query count per upstream\.
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Where \fBproxy_proto\fR is the protocol used (\fBdns\fR, \fBgrpc\fR, or \fBhttps_google\fR) and \fBto\fR is \fBTO\fR specified in the config, \fBproto\fR is the protocol used by the incoming query ("tcp" or "udp"), family the transport family ("1" for IPv4, and "2" for IPv6)\. \fBServer\fR is the server responsible for the request (and metric)\. See the documention in the metrics plugin\.
|
|
.
|
|
.SH "EXAMPLES"
|
|
Proxy all requests within example\.org\. to a backend system:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
proxy example\.org 127\.0\.0\.1:9005
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Load\-balance all requests between three backends (using random policy):
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. 10\.0\.0\.10:53 10\.0\.0\.11:1053 10\.0\.0\.12
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Same as above, but round\-robin style:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. 10\.0\.0\.10:53 10\.0\.0\.11:1053 10\.0\.0\.12 {
|
|
policy round_robin
|
|
}
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
With health checks and proxy headers to pass hostname, IP, and scheme upstream:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. 10\.0\.0\.11:53 10\.0\.0\.11:53 10\.0\.0\.12:53 {
|
|
policy round_robin
|
|
health_check /health:8080
|
|
}
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Proxy everything except requests to miek\.nl or example\.org
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. 10\.0\.0\.10:1234 {
|
|
except miek\.nl example\.org
|
|
}
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Proxy everything except \fBexample\.org\fR using the host\'s \fBresolv\.conf\fR\'s nameservers:
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. /etc/resolv\.conf {
|
|
except miek\.nl example\.org
|
|
}
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Proxy all requests within \fBexample\.org\fR to Google\'s \fBdns\.google\.com\fR\.
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy example\.org 1\.2\.3\.4:53 {
|
|
protocol https_google
|
|
}
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.P
|
|
Proxy everything with HTTPS to \fBdns\.google\.com\fR, except \fBexample\.org\fR\. Then have another proxy in another stanza that uses plain DNS to resolve names under \fBexample\.org\fR\.
|
|
.
|
|
.IP "" 4
|
|
.
|
|
.nf
|
|
|
|
\&\. {
|
|
proxy \. 1\.2\.3\.4:53 {
|
|
except example\.org
|
|
protocol https_google
|
|
}
|
|
}
|
|
|
|
example\.org {
|
|
proxy \. 8\.8\.8\.8:53
|
|
}
|
|
.
|
|
.fi
|
|
.
|
|
.IP "" 0
|
|
.
|
|
.SH "BUGS"
|
|
When using the \fBgoogle_https\fR protocol the health checking will health check the wrong endpoint\. See \fIhttps://github\.com/coredns/coredns/issues/1202\fR for some background\.
|