This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 31a580d SSL Cert lookup using PP dest ip when ProxyProtocol is
enabled (#7802)
31a580d is described below
commit 31a580d0d89b2c141655ea167e4ad1b6b4e4973c
Author: Sudheer Vinukonda <[email protected]>
AuthorDate: Tue May 11 21:30:55 2021 -0700
SSL Cert lookup using PP dest ip when ProxyProtocol is enabled (#7802)
---
iocore/net/SSLNetVConnection.cc | 7 +++++++
iocore/net/SSLUtils.cc | 20 +++++++++++++++++++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 18d0637..b6be2c6 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -446,6 +446,13 @@ SSLNetVConnection::read_raw_data()
if (this->has_proxy_protocol(buffer, &r)) {
Debug("proxyprotocol", "ssl has proxy protocol header");
set_remote_addr(get_proxy_protocol_src_addr());
+ if (is_debug_tag_set("proxyprotocol")) {
+ IpEndpoint dst;
+ dst.sa = *(this->get_proxy_protocol_dst_addr());
+ ip_port_text_buffer ipb1;
+ ats_ip_nptop(&dst, ipb1, sizeof(ipb1));
+ Debug("proxyprotocol", "ssl_has_proxy_v1, dest IP received [%s]",
ipb1);
+ }
} else {
Debug("proxyprotocol", "proxy protocol was enabled, but required header
was not present in the "
"transaction - closing connection");
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 1d57f0b..508d11f 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -38,6 +38,7 @@
#include "P_OCSPStapling.h"
#include "P_SSLSNI.h"
#include "P_SSLConfig.h"
+#include "ProxyProtocol.h"
#include "SSLSessionCache.h"
#include "SSLSessionTicket.h"
#include "SSLDynlock.h"
@@ -299,7 +300,24 @@ set_context_cert(SSL *ssl)
IpEndpoint ip;
int namelen = sizeof(ip);
- if (0 == safe_getsockname(netvc->get_socket(), &ip.sa, &namelen)) {
+ if (netvc->get_is_proxy_protocol() && netvc->get_proxy_protocol_version()
!= ProxyProtocolVersion::UNDEFINED) {
+ ip.sa = *(netvc->get_proxy_protocol_dst_addr());
+ ip_port_text_buffer ipb1;
+ ats_ip_nptop(&ip, ipb1, sizeof(ipb1));
+ cc = lookup->find(ip);
+ if (is_debug_tag_set("proxyprotocol")) {
+ IpEndpoint src;
+ ip_port_text_buffer ipb2;
+ int ip_len = sizeof(src);
+
+ if (0 != safe_getpeername(netvc->get_socket(), &src.sa, &ip_len)) {
+ Debug("proxyprotocol", "Failed to get src ip, errno = [%d]", errno);
+ return EVENT_ERROR;
+ }
+ ats_ip_nptop(&src, ipb2, sizeof(ipb2));
+ Debug("proxyprotocol", "IP context is %p for [%s] -> [%s], default
context %p", cc, ipb2, ipb1, lookup->defaultContext());
+ }
+ } else if (0 == safe_getsockname(netvc->get_socket(), &ip.sa, &namelen)) {
cc = lookup->find(ip);
}
if (cc) {
