Add headers to record WHOIS client IPs (#2695)

The headers can be used by Cloud Armor to perform IP-based rate limiting.
2026-01-03 11:45:39 +00:00 · 2025-02-27 17:15:13 -05:00
parent 5180095cb6
commit 7fb846c5b0
2 changed files with 19 additions and 2 deletions
--- a/proxy/deploy-proxy-for-env.sh
+++ b/proxy/deploy-proxy-for-env.sh
@@ -40,7 +40,8 @@ do
    kubectl apply -f -
    kubectl apply -f "./kubernetes/proxy-service-canary.yaml" --force
  fi
-  # Kills all running pods, new pods created will be pulling the new image.
-  kubectl delete pods --all
+  # Restart all running pods, new pods created will be pulling the new image.
+  kubectl rollout restart deployment/proxy-deployment
+  kubectl rollout restart deployment/proxy-deployment-canary
 done < <(gcloud container clusters list --project ${project} | grep proxy-cluster)
 kubectl config use-context "$current_context"
--- a/proxy/src/main/java/google/registry/proxy/handler/WhoisServiceHandler.java
+++ b/proxy/src/main/java/google/registry/proxy/handler/WhoisServiceHandler.java
@@ -15,8 +15,10 @@
 package google.registry.proxy.handler;

 import static com.google.common.base.Preconditions.checkArgument;
+import static google.registry.proxy.handler.ProxyProtocolHandler.REMOTE_ADDRESS_KEY;

 import google.registry.proxy.metric.FrontendMetrics;
+import google.registry.util.ProxyHttpHeaders;
 import io.netty.buffer.ByteBuf;
 import io.netty.channel.ChannelFutureListener;
 import io.netty.channel.ChannelHandlerContext;
@@ -30,6 +32,8 @@ import java.util.function.Supplier;
 /** Handler that processes WHOIS protocol logic. */
 public final class WhoisServiceHandler extends HttpsRelayServiceHandler {

+  private String clientAddress;
+
  public WhoisServiceHandler(
      String relayHost,
      String relayPath,
@@ -45,6 +49,12 @@ public final class WhoisServiceHandler extends HttpsRelayServiceHandler {
    super.channelActive(ctx);
  }

+  @Override
+  public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
+    clientAddress = ctx.channel().attr(REMOTE_ADDRESS_KEY).get();
+    super.channelRead(ctx, msg);
+  }
+
  @Override
  protected FullHttpRequest decodeFullHttpRequest(ByteBuf byteBuf) {
    FullHttpRequest request = super.decodeFullHttpRequest(byteBuf);
@@ -52,6 +62,12 @@ public final class WhoisServiceHandler extends HttpsRelayServiceHandler {
        .headers()
        .set(HttpHeaderNames.CONTENT_TYPE, HttpHeaderValues.TEXT_PLAIN)
        .set(HttpHeaderNames.ACCEPT, HttpHeaderValues.TEXT_PLAIN);
+    if (clientAddress != null) {
+      request
+          .headers()
+          .set(ProxyHttpHeaders.IP_ADDRESS, clientAddress)
+          .set(ProxyHttpHeaders.FALLBACK_IP_ADDRESS, clientAddress);
+    }
    return request;
  }