Add support for backend PROXY protocol v1
This is enabled with backend /* ... */ { proxy_version 1 }
This commit is contained in:
delthas
Simon Ser
parent
84ae2e62d6
commit
d314adee59
|
|
@ -11,6 +11,7 @@ import (
|
|||
"net/url"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"git.sr.ht/~emersion/go-scfg"
|
||||
|
|
@ -174,6 +175,21 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
|
|||
remoteCertFP := hex.EncodeToString(sum[:])
|
||||
return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
|
||||
}
|
||||
case "proxy_version":
|
||||
var version string
|
||||
if err := child.ParseParams(&version); err != nil {
|
||||
return err
|
||||
}
|
||||
v, err := strconv.Atoi(version)
|
||||
if err != nil {
|
||||
return fmt.Errorf("directive proxy_version: invalid version: %v", err)
|
||||
}
|
||||
switch v {
|
||||
case 1, 2:
|
||||
backend.ProxyVersion = v
|
||||
default:
|
||||
return fmt.Errorf("directive proxy_version: unknown version: %v", v)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
11
server.go
11
server.go
|
|
@ -366,7 +366,7 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
|
|||
defer upstream.Close()
|
||||
|
||||
if be.Proxy {
|
||||
h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr())
|
||||
h := proxyproto.HeaderProxyFromAddrs(byte(be.ProxyVersion), downstream.RemoteAddr(), downstream.LocalAddr())
|
||||
|
||||
var tlvs []proxyproto.TLV
|
||||
if tlsState.ServerName != "" {
|
||||
|
|
@ -396,10 +396,11 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
|
|||
}
|
||||
|
||||
type Backend struct {
|
||||
Network string
|
||||
Address string
|
||||
Proxy bool
|
||||
TLSConfig *tls.Config // nil if no TLS
|
||||
Network string
|
||||
Address string
|
||||
Proxy bool
|
||||
ProxyVersion int
|
||||
TLSConfig *tls.Config // nil if no TLS
|
||||
}
|
||||
|
||||
func duplexCopy(a, b io.ReadWriter) error {
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ The following directives are supported:
|
|||
*listen* <address>...
|
||||
Additional addresses to listen on.
|
||||
|
||||
*backend* <uri>
|
||||
*backend* <uri> { ... }
|
||||
Backend to forward incoming connections to.
|
||||
|
||||
The following URIs are supported:
|
||||
|
|
@ -78,6 +78,11 @@ The following directives are supported:
|
|||
openssl x509 -fingerprint -sha256 -noout <certificate>
|
||||
```
|
||||
|
||||
*proxy_version* <version>
|
||||
PROXY protocol version to use, if _+proxy_ is specified.
|
||||
The supported versions are 1 and 2.
|
||||
If not specified, the PROXY version used defaults to version 2.
|
||||
|
||||
*tls* { ... }
|
||||
Customise frontend-specific TLS configuration.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue