~emersion/soju-dev

Accept proxy protocol on unix sockets by default v1 SUPERSEDED

Julio B <julio.bacel@gmail.com>
1 year, 1 month ago 
Julio B: 1
 Accept proxy protocol on unix sockets by default

 1 files changed, 4 insertions(+), 3 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git: 

curl -s https://lists.sr.ht/~emersion/soju-dev/patches/36012/mbox | git am -3
Learn more about email & git
Reply to thread View this thread in the archives

[PATCH] Accept proxy protocol on unix sockets by default Export this patch

Julio B <julio.bacel@gmail.com>
1 year, 1 month ago 
---
Usually we use unix sockets behind reverse proxies on local machines. It
makes sense to trust the proxy protocol we it is available.

Minimal nginx config
..
stream {
	server {
		listen 6697;
		proxy_pass unix:/run/soju/bouncer.socket;
		proxy_protocol on;
	}
}
..


 cmd/soju/main.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cmd/soju/main.go b/cmd/soju/main.go
index 0094381..920e909 100644
--- a/cmd/soju/main.go
+++ b/cmd/soju/main.go
@@ -345,10 +345,11 @@ func proxyProtoListener(ln net.Listener, srv *soju.Server) net.Listener {
		Listener: ln,
		Policy: func(upstream net.Addr) (proxyproto.Policy, error) {
			tcpAddr, ok := upstream.(*net.TCPAddr)
			if !ok {
				return proxyproto.IGNORE, nil
			if ok && srv.Config().AcceptProxyIPs.Contains(tcpAddr.IP) {
				return proxyproto.USE, nil
			}
			if srv.Config().AcceptProxyIPs.Contains(tcpAddr.IP) {
			unixAddr, ok := upstream.(*net.UnixAddr)
			if ok && unixAddr.Network() == "unix" {
				return proxyproto.USE, nil
			}
			return proxyproto.IGNORE, nil
-- 
2.38.0
Simon Ser <contact@emersion.fr>
1 year, 1 month ago 
Hm, I'm a bit worried about users setting up a Unix socket with a
reverse proxy which doesn't grok PROXY. This would allow clients to
send arbitrary PROXY headers.