Add PROXY Protocol support for TCP ingress rules

[sairus2k]

Problem

When services are deployed behind HAProxy, the original client IP address is lost and replaced with HAProxy's local address. This creates problems for services that depend on the client's real IP address, such as SMTP servers performing SPF checks.

Proposed solution

Implement PROXY protocol support for TCP ingress rules by:

1. Adding a Use proxy protocol option when creating TCP ingress rules
2. Including an option to specify the PROXY protocol version (v1 or v2)
   • Version 1: human-readable format (required for SMTP servers)
   • Version 2: binary format

For detailed information about the PROXY protocol, refer to the HAProxy documentation.

Current workaround

While it's possible to manually add the send-proxy option to the backend of the application in /var/lib/swiftwave/haproxy/haproxy.cfg, this is not ideal as the file is generated and so it may be overwritten during updates.

Example logs

Without PROXY protocol

[2025-02-15 15:52:30] INFO  [#77ly6prphqq4hjnt] Connection from swiftwave_haproxy.wxlgfc5ojgvee0gktdcnyco33.ir6mcm2iqm8a1ql4gv464jqll.swiftwave_network

With PROXY protocol enabled using the send-proxy option

[2025-02-15 16:24:22] INFO  [#ex4pvmdvfbvidlne] [ex4pvmdvfbvidlne] PROXY from 209.85.218.49 through 172.18.0.5 (["TCP4","209.85.218.49","172.18.0.5","51204","25"])
[2025-02-15 16:24:22] INFO  [#ex4pvmdvfbvidlne] Connection from mail-ej1-f49.google.com

As shown in the logs, enabling the PROXY protocol helps maintain the original client information, which is crucial for proper service functionality.

[tanmoysrt]

Hi @sairus2k
Can you please raise the issue in repository ?
https://github.com/swiftwave-org/swiftwave

By default we can set this send-proxy for TCP routing.