TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 4 Projects Releases Packages Wiki Activity Actions
coredns/middleware/proxy
History
Miek Gieben 34db56a22e readme updates (#525)
2017-02-15 08:03:14 +00:00
..
pb Client-side of gRPC proxy (#511) 2017-02-14 22:20:20 -05:00
dns.go La context (#521) 2017-02-11 16:56:04 +00:00
exchanger.go La context (#521) 2017-02-11 16:56:04 +00:00
google.go La context (#521) 2017-02-11 16:56:04 +00:00
google_rr.go middleware/proxy: absorb httpproxy (#481) 2017-02-06 19:32:48 +00:00
google_test.go middleware/proxy: absorb httpproxy (#481) 2017-02-06 19:32:48 +00:00
grpc.go Client-side of gRPC proxy (#511) 2017-02-14 22:20:20 -05:00
lookup.go La context (#521) 2017-02-11 16:56:04 +00:00
metrics.go middleware/proxy: sane(r) metrics 2017-02-07 21:28:47 +00:00
policy.go middleware/proxy: healthchecks fixes (#183) 2016-07-04 21:13:28 +01:00
policy_test.go First commit 2016-03-18 20:57:35 +00:00
proxy.go La context (#521) 2017-02-11 16:56:04 +00:00
README.md readme updates (#525) 2017-02-15 08:03:14 +00:00
response.go middleware/proxy: absorb httpproxy (#481) 2017-02-06 19:32:48 +00:00
setup.go middleware/proxy: absorb httpproxy (#481) 2017-02-06 19:32:48 +00:00
upstream.go Client-side of gRPC proxy (#511) 2017-02-14 22:20:20 -05:00
upstream_test.go Client-side of gRPC proxy (#511) 2017-02-14 22:20:20 -05:00

README.md

proxy

proxy facilitates both a basic reverse proxy and a robust load balancer. The proxy has support for multiple backends. The load balancing features include multiple policies, health checks, and failovers. If all hosts fail their health check the proxy middleware will fail back to randomly selecting a target and sending packets to it.

Syntax

In its most basic form, a simple reverse proxy uses this syntax:

proxy FROM TO
  • FROM is the base domain to match for the request to be proxied.
  • TO is the destination endpoint to proxy to.

However, advanced features including load balancing can be utilized with an expanded syntax:

proxy FROM TO... {
    policy random|least_conn|round_robin
    fail_timeout DURATION
    max_fails INTEGER
    health_check PATH:PORT [DURATION]
    except IGNORED_NAMES...
    spray
    protocol [dns|https_google [bootstrap ADDRESS...]|grpc [insecure|CA-PEM|KEY-PEM CERT-PEM|KEY-PEM CERT-PEM CA-PEM]]
}
  • FROM is the name to match for the request to be proxied.
  • TO is the destination endpoint to proxy to. At least one is required, but multiple may be specified. TO may be an IP:Port pair, or may reference a file in resolv.conf format
  • policy is the load balancing policy to use; applies only with multiple backends. May be one of random, least_conn, or round_robin. Default is random.
  • fail_timeout specifies how long to consider a backend as down after it has failed. While it is down, requests will not be routed to that backend. A backend is "down" if CoreDNS fails to communicate with it. The default value is 10 seconds ("10s").
  • max_fails is the number of failures within fail_timeout that are needed before considering a backend to be down. If 0, the backend will never be marked as down. Default is 1.
  • health_check will check path (on port) on each backend. If a backend returns a status code of 200-399, then that backend is healthy. If it doesn't, the backend is marked as unhealthy for duration and no requests are routed to it. If this option is not provided then health checks are disabled. The default duration is 10 seconds ("10s").
  • IGNORED_NAMES in except is a space-separated list of domains to exclude from proxying. Requests that match none of these names will be passed through.
  • spray when all backends are unhealthy, randomly pick one to send the traffic to. (This is a failsafe.)
  • protocol specifies what protocol to use to speak to an upstream, dns (the default) is plain old DNS, and https_google uses https://dns.google.com and speaks a JSON DNS dialect. Note when using this TO will be ignored. The grpc option will talk to a server that has implemented the DnsService. An out-of-tree middleware that implements the server side of this can be found at here.

Policies

There are three load-balancing policies available:

  • random (default) - Randomly select a backend
  • least_conn - Select the backend with the fewest active connections
  • round_robin - Select the backend in round-robin fashion

All polices implement randomly spraying packets to backend hosts when no healthy hosts are available. This is to preeempt the case where the healthchecking (as a mechanism) fails.

Upstream Protocols

Currently protocol supports dns (i.e., standard DNS over UDP/TCP) and https_google (JSON payload over HTTPS). Note that with https_google the entire transport is encrypted. Only you and Google can see your DNS activity.

  • dns: no options can be given at the moment.

  • https_google: bootstrap ADDRESS... is used to (re-)resolve dns.google.com to an address to connect to. This happens every 300s. If not specified the default is used: 8.8.8.8:53/8.8.4.4:53. Note that TO is ignored when https_google is used, as its upstream is defined as dns.google.com.

    Debug queries are enabled by default and currently there is no way to turn them off. When CoreDNS receives a debug query (i.e. the name is prefixed with o-o.debug.) a TXT record with Comment from dns.google.com is added. Note this is not always set.

  • grpc: options are used to control how the TLS connection is made to the gRPC server.

    • None - No client authentication is used, and the system CAs are used to verify the server certificate.
    • insecure - TLS is not used, the connection is made in plaintext (not good in production).
    • CA-PEM - No client authentication is used, and the file CA-PEM is used to verify the server certificate.
    • KEY-PEM CERT-PEM - Client authentication is used with the specified key/cert pair. The server certificate is verified with the system CAs.
    • KEY-PEM CERT-PEM CA-PEM - Client authentication is used with the specified key/cert pair. The server certificate is verified using the CA-PEM file.

    An out-of-tree middleware that implements the server side of this can be found at here.

Metrics

If monitoring is enabled (via the prometheus directive) then the following metric is exported:

  • coredns_proxy_request_count_total{proto, proxy_proto, from}

Where proxy_proto is the protocol used (dns, grpc, or https_google) and from is FROM specified in the config, proto is the protocol used by the incoming query ("tcp" or "udp").

Examples

Proxy all requests within example.org. to a backend system:

proxy example.org localhost:9005

Load-balance all requests between three backends (using random policy):

proxy . dns1.local:53 dns2.local:1053 dns3.local

Same as above, but round-robin style:

proxy . dns1.local:53 dns2.local:1053 dns3.local {
	policy round_robin
}

With health checks and proxy headers to pass hostname, IP, and scheme upstream:

proxy . dns1.local:53 dns2.local:53 dns3.local:53 {
	policy round_robin
	health_check /health:8080
}

Proxy everything except requests to miek.nl or example.org

proxy . backend:1234 {
	except miek.nl example.org
}

Proxy everything except example.org using the host resolv.conf nameservers:

proxy . /etc/resolv.conf {
	except miek.nl example.org
}

Proxy all requests within example.org to Google's dns.google.com.

proxy example.org 1.2.3.4:53 {
    protocol https_google
}

Proxy everything with HTTPS to dns.google.com, except example.org. Then have another proxy in another stanza that uses plain DNS to resolve names under example.org.

. {
    proxy . 1.2.3.4:53 {
        execpt example.org
        protocol https_google
    }
}

example.org {
    proxy . 8.8.8.8:53
}