I want to run an HTTP(S) proxy service in a GKE cluster, and take advantage of the existing Kubernetes ingress and the GCP load balancer to provide TLS termination and a stable public IP for the service. The clients would access the proxy via the public internet using basic auth.
So far I've run into three issues:
- It's tricky to configure an HTTP health check for the proxy, because the health check can only be configured with a relative path (e.g.
GET /) and the proxy only responds to requests for fully qualified URLs (e.g. `GET http://www.example.com). I was able to work around this by modifying the (open source) proxy server implementation to add a health check at a relative URL. - Similarly, the URL map requires a relative path, beginning with a '/'. I was able to work around this by specifying the proxy service as the default backend for the ingress, which is used if none of the host/path rules match.
- Here's where I'm stuck. The load balancer appears to strip the
Proxy-Authorizationheader sent by the client. So when the requests arrive at the proxy server, they are missing the auth header, and fail with a407 Proxy Authentication Required.
It's obviously not an option to disable authentication on the proxy. I haven't found any documentation acknowledging that the load balancer strips this header, or why it does so.
Best Answer
You are trying to use this type of balancer for something it isn't designed to do. GCP HTTP load balancers are reverse HTTP proxies -- they don't front-end for forward proxies. What you have working so far is essentially working by accident.
I'd suggest that your application actually needs a TCP load balancer rather than HTTP.