From d314adee5971f340dd2ffbe2db12542307cfb926 Mon Sep 17 00:00:00 2001
From: delthas <delthas@dille.cc>
Date: Thu, 9 Feb 2023 15:19:29 +0100
Subject: [PATCH] Add support for backend PROXY protocol v1

This is enabled with backend /* ... */ { proxy_version 1 }
---
 directives.go   | 16 ++++++++++++++++
 server.go       | 11 ++++++-----
 tlstunnel.1.scd |  7 ++++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/directives.go b/directives.go
index 4227cf0..4ddd4d4 100644
--- a/directives.go
+++ b/directives.go
@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 
 	"git.sr.ht/~emersion/go-scfg"
@@ -174,6 +175,21 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
 				remoteCertFP := hex.EncodeToString(sum[:])
 				return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
 			}
+		case "proxy_version":
+			var version string
+			if err := child.ParseParams(&version); err != nil {
+				return err
+			}
+			v, err := strconv.Atoi(version)
+			if err != nil {
+				return fmt.Errorf("directive proxy_version: invalid version: %v", err)
+			}
+			switch v {
+			case 1, 2:
+				backend.ProxyVersion = v
+			default:
+				return fmt.Errorf("directive proxy_version: unknown version: %v", v)
+			}
 		}
 	}
 
diff --git a/server.go b/server.go
index 4d467ba..9de4c1e 100644
--- a/server.go
+++ b/server.go
@@ -366,7 +366,7 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
 	defer upstream.Close()
 
 	if be.Proxy {
-		h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr())
+		h := proxyproto.HeaderProxyFromAddrs(byte(be.ProxyVersion), downstream.RemoteAddr(), downstream.LocalAddr())
 
 		var tlvs []proxyproto.TLV
 		if tlsState.ServerName != "" {
@@ -396,10 +396,11 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
 }
 
 type Backend struct {
-	Network   string
-	Address   string
-	Proxy     bool
-	TLSConfig *tls.Config // nil if no TLS
+	Network      string
+	Address      string
+	Proxy        bool
+	ProxyVersion int
+	TLSConfig    *tls.Config // nil if no TLS
 }
 
 func duplexCopy(a, b io.ReadWriter) error {
diff --git a/tlstunnel.1.scd b/tlstunnel.1.scd
index 3c337e0..4b1e315 100644
--- a/tlstunnel.1.scd
+++ b/tlstunnel.1.scd
@@ -52,7 +52,7 @@ The following directives are supported:
 	*listen* <address>...
 		Additional addresses to listen on.
 
-	*backend* <uri>
+	*backend* <uri> { ... }
 		Backend to forward incoming connections to.
 
 		The following URIs are supported:
@@ -78,6 +78,11 @@ The following directives are supported:
 			openssl x509 -fingerprint -sha256 -noout <certificate>
 			```
 
+		*proxy_version* <version>
+			PROXY protocol version to use, if _+proxy_ is specified.
+			The supported versions are 1 and 2.
+			If not specified, the PROXY version used defaults to version 2.
+
 	*tls* { ... }
 		Customise frontend-specific TLS configuration.