~emersion/public-inbox

tlstunnel: Add support for backend PROXY protocol v1 v1 APPLIED

delthas <delthas@dille.cc>
a month ago 
delthas: 1
 Add support for backend PROXY protocol v1

 3 files changed, 28 insertions(+), 6 deletions(-)
#937388 .build.yml success
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git: 

curl -s https://lists.sr.ht/~emersion/public-inbox/patches/38851/mbox | git am -3
Learn more about email & git
Reply to thread View this thread in the archives

[PATCH tlstunnel] Add support for backend PROXY protocol v1 Export this patch

delthas <delthas@dille.cc>
a month ago 
This is enabled with backend /* ... */ { proxy_version 1 }
---
 directives.go   | 16 ++++++++++++++++
 server.go       | 11 ++++++-----
 tlstunnel.1.scd |  7 ++++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/directives.go b/directives.go
index 4227cf0..11b35af 100644
--- a/directives.go
+++ b/directives.go
@@ -11,6 +11,7 @@ import (
	"net/url"
	"os"
	"os/exec"
	"strconv"
	"strings"

	"git.sr.ht/~emersion/go-scfg"
@@ -174,6 +175,21 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
				remoteCertFP := hex.EncodeToString(sum[:])
				return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
			}
		case "proxy_version":
			var version string
			if err := child.ParseParams(&version); err != nil {
				return err
			}
			v, err := strconv.Atoi(version)
			if err != nil {
				return fmt.Errorf("directive proxy_version: invalid version: %v", err)
			}
			switch v {
			case 1, 2:
			default:
				return fmt.Errorf("directive proxy_version: unknown version: %v", v)
			}
			backend.ProxyVersion = v
		}
	}

diff --git a/server.go b/server.go
index 4d467ba..9de4c1e 100644
--- a/server.go
+++ b/server.go
@@ -366,7 +366,7 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
	defer upstream.Close()

	if be.Proxy {
		h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr())
		h := proxyproto.HeaderProxyFromAddrs(byte(be.ProxyVersion), downstream.RemoteAddr(), downstream.LocalAddr())

		var tlvs []proxyproto.TLV
		if tlsState.ServerName != "" {
@@ -396,10 +396,11 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
}

type Backend struct {
	Network   string
	Address   string
	Proxy     bool
	TLSConfig *tls.Config // nil if no TLS
	Network      string
	Address      string
	Proxy        bool
	ProxyVersion int
	TLSConfig    *tls.Config // nil if no TLS
}

func duplexCopy(a, b io.ReadWriter) error {
diff --git a/tlstunnel.1.scd b/tlstunnel.1.scd
index 3c337e0..4b1e315 100644
--- a/tlstunnel.1.scd
+++ b/tlstunnel.1.scd
@@ -52,7 +52,7 @@ The following directives are supported:
	*listen* <address>...
		Additional addresses to listen on.

	*backend* <uri>
	*backend* <uri> { ... }
		Backend to forward incoming connections to.

		The following URIs are supported:
@@ -78,6 +78,11 @@ The following directives are supported:
			openssl x509 -fingerprint -sha256 -noout <certificate>
			```

		*proxy_version* <version>
			PROXY protocol version to use, if _+proxy_ is specified.
			The supported versions are 1 and 2.
			If not specified, the PROXY version used defaults to version 2.

	*tls* { ... }
		Customise frontend-specific TLS configuration.


base-commit: 84ae2e62d6541b3ef044e5f50d6ab7c28c1aab56
-- 
2.39.1
builds.sr.ht <builds@sr.ht>
a month ago 
tlstunnel/patches/.build.yml: SUCCESS in 52s

[Add support for backend PROXY protocol v1][0] from [delthas][1]

[0]: https://lists.sr.ht/~emersion/public-inbox/patches/38851
[1]: mailto:delthas@dille.cc

✓ #937388 SUCCESS tlstunnel/patches/.build.yml https://builds.sr.ht/~emersion/job/937388
Simon Ser <contact@emersion.fr>
a month ago 
Pushed, thanks!