OpenSec Atlas

Name: hairpin-proxy
Author: compumike

hairpin-proxy: An Open Source Tool for Cloud Security | OpenSec Atlas

Back to Browse

Cloud Security

Tool

hairpin-proxy

hairpin-proxy enables PROXY protocol support for internal-to-LoadBalancer traffic in Kubernetes, resolving ingress-nginx and cert-manager HTTP01 validation issues.

View on GitHub

About This Tool

PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users. If you've had problems with ingress-nginx, cert-manager, LetsEncrypt ACME HTTP01 self-check failures, and the PROXY protocol, read on.

Primary Use Case

This tool is used by Kubernetes users running ingress controllers with LoadBalancer services who face issues with lost client source IPs and cert-manager ACME HTTP01 self-check failures due to PROXY protocol handling. It ensures that internal cluster traffic correctly supports the PROXY protocol, enabling seamless SSL certificate provisioning and ingress functionality.

Key Features

Adds PROXY protocol support for internal cluster traffic to LoadBalancer services
Solves ingress-nginx and cert-manager HTTP01 validation failures related to PROXY protocol
Works out-of-the-box with ingress-nginx and cert-manager
Preserves original client source IP addresses in proxied TCP connections
Compatible with multiple cloud provider load balancers supporting PROXY protocol
Mitigates Kubernetes kube-proxy iptables optimization issues with PROXY protocol

Insights & Recommendations

hairpin-proxy addresses a specific Kubernetes networking issue where kube-proxy redirects outbound traffic to the LoadBalancer's internal IP, causing PROXY protocol failures when accessed internally. It is recommended for users employing ingress-nginx with use-proxy-protocol enabled and cert-manager for ACME HTTP01 validation. Ensure your cloud load balancer supports the PROXY protocol and that both load balancer and web server are configured accordingly.

Installation

Run kubectl apply -f https://raw.githubusercontent.com/compumike/hairpin-proxy/v0.2.1/deploy.yml

Usage

kubectl apply -f https://raw.githubusercontent.com/compumike/hairpin-proxy/v0.2.1/deploy.yml

Installs hairpin-proxy into the Kubernetes cluster to enable PROXY protocol support.

Smart Usage Notes

Integrate hairpin-proxy into Kubernetes ingress pipelines to ensure accurate client IP logging for better incident investigation.
Use hairpin-proxy to improve cert-manager ACME HTTP01 challenge reliability, reducing downtime during certificate renewals.
Combine with network monitoring tools to detect anomalous traffic patterns that could indicate lateral movement or proxy protocol misuse.
Leverage hairpin-proxy in purple team exercises to simulate real-world ingress and proxy protocol evasion scenarios.
Automate deployment of hairpin-proxy in DevSecOps pipelines to enforce consistent cloud load balancer configurations and reduce misconfigurations.