Proxy-only nodes

[schmichael]

Original post: https://groups.google.com/d/msg/nomad-tool/bauXDSiCkAY/Kp9vCyhABgAJ

It seems reasonable to want to be able to run agents purely for the purpose of proxying requests. This could be accomplished by disabling both client and server in the agent config:

client { enabled = false }
server { enabled = false }

However internally it may take some refactoring to move server discovery, API advertisement, and the API itself out of the Client and into the agent.

[automaticgiant]

why is this better than a proxy (like fabio) or ssh tunnel in front? would that proxy do a bunch of acl/sentinal stuff that would otherwise be done by client or server?

just read the original post, but still idk.

[ketzacoatl]

Last I checked/tested/banged my head on this.. it takes a bit more, for example, for some commands, the server sends you to a specific client. Having an instance of nomad that is responsible for proxying requests would be helpful. Also, something like fabio ought to run on nomad, and as core infrastructure, nomad ought to have minimal dependencies to run well in our env. Just my 2c.

[schmichael]

why is this better than a proxy (like fabio) or ssh tunnel in front? would that proxy do a bunch of acl/sentinel stuff that would otherwise be done by client or server?
-- @automaticgiant

Great question. Nomad's mTLS implementation uses custom certificate validation logic, so I don't think any other generic HTTP proxies would handle it correctly. I'm not sure how many handle client certificates for upstreams either.

Using a native Nomad proxy would also require one less network hop as a proxy would always do an HTTP call to an upstream whereas a Nomad proxy could communicate directly with the servers via RPC (which is what most HTTP calls translate too).

SSH tunnels, generic HTTP proxies, and VPNs are not a bad way to access Nomad clusters, and they're how most people would access a Nomad proxy. They just have different properties and tradeoffs than a native Nomad proxy would offer.

[automaticgiant]

so @ketzacoatl, if the agent (and cli) had proxy support, you could forward a port to one, be able to make client/server only calls to the others, right?

[dadgar]

Closing in favor of #3892

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.