1
1
mirror of https://git.sr.ht/~emersion/tlstunnel synced 2024-11-19 15:53:50 +01:00

Add support for backend PROXY protocol v1

This is enabled with backend /* ... */ { proxy_version 1 }
This commit is contained in:
delthas 2023-02-09 15:19:29 +01:00 committed by Simon Ser
parent 84ae2e62d6
commit d314adee59
3 changed files with 28 additions and 6 deletions

@ -11,6 +11,7 @@ import (
"net/url" "net/url"
"os" "os"
"os/exec" "os/exec"
"strconv"
"strings" "strings"
"git.sr.ht/~emersion/go-scfg" "git.sr.ht/~emersion/go-scfg"
@ -174,6 +175,21 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
remoteCertFP := hex.EncodeToString(sum[:]) remoteCertFP := hex.EncodeToString(sum[:])
return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP) return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
} }
case "proxy_version":
var version string
if err := child.ParseParams(&version); err != nil {
return err
}
v, err := strconv.Atoi(version)
if err != nil {
return fmt.Errorf("directive proxy_version: invalid version: %v", err)
}
switch v {
case 1, 2:
backend.ProxyVersion = v
default:
return fmt.Errorf("directive proxy_version: unknown version: %v", v)
}
} }
} }

@ -366,7 +366,7 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
defer upstream.Close() defer upstream.Close()
if be.Proxy { if be.Proxy {
h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr()) h := proxyproto.HeaderProxyFromAddrs(byte(be.ProxyVersion), downstream.RemoteAddr(), downstream.LocalAddr())
var tlvs []proxyproto.TLV var tlvs []proxyproto.TLV
if tlsState.ServerName != "" { if tlsState.ServerName != "" {
@ -396,10 +396,11 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
} }
type Backend struct { type Backend struct {
Network string Network string
Address string Address string
Proxy bool Proxy bool
TLSConfig *tls.Config // nil if no TLS ProxyVersion int
TLSConfig *tls.Config // nil if no TLS
} }
func duplexCopy(a, b io.ReadWriter) error { func duplexCopy(a, b io.ReadWriter) error {

@ -52,7 +52,7 @@ The following directives are supported:
*listen* <address>... *listen* <address>...
Additional addresses to listen on. Additional addresses to listen on.
*backend* <uri> *backend* <uri> { ... }
Backend to forward incoming connections to. Backend to forward incoming connections to.
The following URIs are supported: The following URIs are supported:
@ -78,6 +78,11 @@ The following directives are supported:
openssl x509 -fingerprint -sha256 -noout <certificate> openssl x509 -fingerprint -sha256 -noout <certificate>
``` ```
*proxy_version* <version>
PROXY protocol version to use, if _+proxy_ is specified.
The supported versions are 1 and 2.
If not specified, the PROXY version used defaults to version 2.
*tls* { ... } *tls* { ... }
Customise frontend-specific TLS configuration. Customise frontend-specific TLS configuration.