mirror of
https://git.sr.ht/~emersion/tlstunnel
synced 2024-11-19 15:53:50 +01:00
Add support for backend PROXY protocol v1
This is enabled with backend /* ... */ { proxy_version 1 }
This commit is contained in:
parent
84ae2e62d6
commit
d314adee59
@ -11,6 +11,7 @@ import (
|
|||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"git.sr.ht/~emersion/go-scfg"
|
"git.sr.ht/~emersion/go-scfg"
|
||||||
@ -174,6 +175,21 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
|
|||||||
remoteCertFP := hex.EncodeToString(sum[:])
|
remoteCertFP := hex.EncodeToString(sum[:])
|
||||||
return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
|
return fmt.Errorf("configured TLS certificate fingerprint doesn't match the server's - %s", remoteCertFP)
|
||||||
}
|
}
|
||||||
|
case "proxy_version":
|
||||||
|
var version string
|
||||||
|
if err := child.ParseParams(&version); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
v, err := strconv.Atoi(version)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("directive proxy_version: invalid version: %v", err)
|
||||||
|
}
|
||||||
|
switch v {
|
||||||
|
case 1, 2:
|
||||||
|
backend.ProxyVersion = v
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("directive proxy_version: unknown version: %v", v)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
11
server.go
11
server.go
@ -366,7 +366,7 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
|
|||||||
defer upstream.Close()
|
defer upstream.Close()
|
||||||
|
|
||||||
if be.Proxy {
|
if be.Proxy {
|
||||||
h := proxyproto.HeaderProxyFromAddrs(2, downstream.RemoteAddr(), downstream.LocalAddr())
|
h := proxyproto.HeaderProxyFromAddrs(byte(be.ProxyVersion), downstream.RemoteAddr(), downstream.LocalAddr())
|
||||||
|
|
||||||
var tlvs []proxyproto.TLV
|
var tlvs []proxyproto.TLV
|
||||||
if tlsState.ServerName != "" {
|
if tlsState.ServerName != "" {
|
||||||
@ -396,10 +396,11 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
|
|||||||
}
|
}
|
||||||
|
|
||||||
type Backend struct {
|
type Backend struct {
|
||||||
Network string
|
Network string
|
||||||
Address string
|
Address string
|
||||||
Proxy bool
|
Proxy bool
|
||||||
TLSConfig *tls.Config // nil if no TLS
|
ProxyVersion int
|
||||||
|
TLSConfig *tls.Config // nil if no TLS
|
||||||
}
|
}
|
||||||
|
|
||||||
func duplexCopy(a, b io.ReadWriter) error {
|
func duplexCopy(a, b io.ReadWriter) error {
|
||||||
|
@ -52,7 +52,7 @@ The following directives are supported:
|
|||||||
*listen* <address>...
|
*listen* <address>...
|
||||||
Additional addresses to listen on.
|
Additional addresses to listen on.
|
||||||
|
|
||||||
*backend* <uri>
|
*backend* <uri> { ... }
|
||||||
Backend to forward incoming connections to.
|
Backend to forward incoming connections to.
|
||||||
|
|
||||||
The following URIs are supported:
|
The following URIs are supported:
|
||||||
@ -78,6 +78,11 @@ The following directives are supported:
|
|||||||
openssl x509 -fingerprint -sha256 -noout <certificate>
|
openssl x509 -fingerprint -sha256 -noout <certificate>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
*proxy_version* <version>
|
||||||
|
PROXY protocol version to use, if _+proxy_ is specified.
|
||||||
|
The supported versions are 1 and 2.
|
||||||
|
If not specified, the PROXY version used defaults to version 2.
|
||||||
|
|
||||||
*tls* { ... }
|
*tls* { ... }
|
||||||
Customise frontend-specific TLS configuration.
|
Customise frontend-specific TLS configuration.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user