~emersion/soju-dev

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
3 2

[PATCH] Accept proxy protocol on unix sockets by default

Julio B <julio.bacel@gmail.com>
Details
Message ID
<20221011071230.247042-1-julio.bacel@gmail.com>
DKIM signature
pass
Download raw message
3 months ago
Patch: +4 -3 
---
Usually we use unix sockets behind reverse proxies on local machines. It
makes sense to trust the proxy protocol we it is available.

Minimal nginx config
..
stream {
	server {
		listen 6697;
		proxy_pass unix:/run/soju/bouncer.socket;
		proxy_protocol on;
	}
}
..


 cmd/soju/main.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cmd/soju/main.go b/cmd/soju/main.go
index 0094381..920e909 100644
--- a/cmd/soju/main.go
+++ b/cmd/soju/main.go
@@ -345,10 +345,11 @@ func proxyProtoListener(ln net.Listener, srv *soju.Server) net.Listener {
		Listener: ln,
		Policy: func(upstream net.Addr) (proxyproto.Policy, error) {
			tcpAddr, ok := upstream.(*net.TCPAddr)
			if !ok {
				return proxyproto.IGNORE, nil
			if ok && srv.Config().AcceptProxyIPs.Contains(tcpAddr.IP) {
				return proxyproto.USE, nil
			}
			if srv.Config().AcceptProxyIPs.Contains(tcpAddr.IP) {
			unixAddr, ok := upstream.(*net.UnixAddr)
			if ok && unixAddr.Network() == "unix" {
				return proxyproto.USE, nil
			}
			return proxyproto.IGNORE, nil
-- 
2.38.0
Simon Ser <contact@emersion.fr>
Details
Message ID
<Ey7nG_dHYE-Y0awFAOM8bt3hSR85rPB-u8l1ttfFlQb-mzOoLp48HyGziAgFBnh50X9zcr0asSqFB4TvO-lnGfjjjS1QpmOZXviGQDVIkY8=@emersion.fr>
In-Reply-To
<20221011071230.247042-1-julio.bacel@gmail.com> (view parent)
DKIM signature
pass
Download raw message
3 months ago 
Hm, I'm a bit worried about users setting up a Unix socket with a
reverse proxy which doesn't grok PROXY. This would allow clients to
send arbitrary PROXY headers.
Julio B <julio.bacel@gmail.com>
Details
Message ID
<CNLWKONLN937.1QEPPDX5D7LS5@arch>
In-Reply-To
<Ey7nG_dHYE-Y0awFAOM8bt3hSR85rPB-u8l1ttfFlQb-mzOoLp48HyGziAgFBnh50X9zcr0asSqFB4TvO-lnGfjjjS1QpmOZXviGQDVIkY8=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
3 months ago 
On Thu Oct 13, 2022 at 6:02 PM EEST, Simon Ser wrote:
> Hm, I'm a bit worried about users setting up a Unix socket with a
> reverse proxy which doesn't grok PROXY. This would allow clients to
> send arbitrary PROXY headers.

You're right, i hadn't thought about that. What is the simplest way to
make this configurable? Should i add a special case for
"accept-proxy-ip unix"? Or add a new option like "accept-proxy-socket"?
Simon Ser <contact@emersion.fr>
Details
Message ID
<1jRqOFaPsdCkeRmyMdX1RYGnH9jGe7uFWRo9G-Vazue5g2OkRLi4nbtyIwFu0bTr3gKAsLkAsQempbUak_OFXa7MBJuo00NGvXomcYoUQ2g=@emersion.fr>
In-Reply-To
<CNLWKONLN937.1QEPPDX5D7LS5@arch> (view parent)
DKIM signature
pass
Download raw message
3 months ago 
On Friday, October 14th, 2022 at 21:45, Julio B <julio.bacel@gmail.com> wrote:

> On Thu Oct 13, 2022 at 6:02 PM EEST, Simon Ser wrote:
> 
> > Hm, I'm a bit worried about users setting up a Unix socket with a
> > reverse proxy which doesn't grok PROXY. This would allow clients to
> > send arbitrary PROXY headers.
> 
> You're right, i hadn't thought about that. What is the simplest way to
> make this configurable? Should i add a special case for
> "accept-proxy-ip unix"? Or add a new option like "accept-proxy-socket"?

Maybe we can:

- Introduce a new "accept-proxy-from" directive which accepts both IPs
  and special names like "unix".
- Alias the old "accept-proxy-ip" directive to the new one, but remove
  it from docs so that new configs use the new directive but old
  configs keep working.

How does that sound?
Reply to thread Export thread (mbox)