Hi Phil, On Wed, Apr 16, 2014 at 04:46:05PM -0400, Phil Pennock wrote: > On 2014-04-15 at 12:13 +0200, Willy Tarreau wrote: > > On Mon, Apr 14, 2014 at 09:54:19PM -0400, David S wrote: > [ SSL extensions for Proxy protocol ] > > > Please let me know your feedback. > > > [ many great improvements ] > > Note that this probably marks the death of protocol v2 that nobody > > implemented > > yet, but that was supposed to be easier to parse... > > Exim git HEAD has support (for the forthcoming 4.83 release) for Proxy > Protocol, when built with EXPERIMENTAL_PROXY. This includes support for > proxy protocols 1 and 2 both. (This is Exim as a server sat behind a > proxy speaking the proxy protocol, so that connection source checks can > use the external origin IP).
Great! I noticed it had support for the protocol but did not notice it supported V2. So actually Exim can probably proudly claim to be the first one to implement v2 :-) > Todd Lyons worked on this, I've added him to the CC list. [Todd, the > haproxy list doesn't require posters to be subscribed, so it's okay to > keep the CC line intact.] > > Willy, what are your plans for protocol v2 please? If it's going to die > an early death, I'd rather ensure that Exim rips out support for v2 > before the first release with support for proxy protocol, otherwise > we're in for years of pain if someone deploys a proxy which does support > it. Nothing is decided, I really think that v2 is much better than v1 in that it will significantly simplify the life of people who have to deal with recv(MSG_PEEK) like postscreen and all those who don't want to implement a possibly dangerous text-based parser. David proposed nice improvements and there are other people asking for similar improvements. My first thought was that v2 could be compromised, but David's latest post seems to suggest otherwise. The real issue with v2 is that (Exim aside), nobody implements it yet. And for having started this protocol within haproxy, I know for sure that without any other agents, it becomes totally useless. So right now I'd rather say that we should evaluate the possibilities to extend it further, then implement it into haproxy. We could even imagine that the extension binary version becomes v3 if it changes in any significant way (at least we'll need to pass some frame length). > Todd, was v2 support added for feature completeness, or because you > needed to work with an implementation using it? If you want my opinion, do not remove it, even if you have no other user right now. We've seen after implementing it for stunnel and stud that just a few agents are enough to ignite adoption in many other products. It should even be easy to implement into haproxy, it's just that we need to add a few keywords on the server side for this. BTW, if someone wants to propose a patch to implement v2 into haproxy as specified, feel free to do so. Cheers, Willy
