Hello,

The attached patch adds acl support for the TLS ALPN extension (RFC7301) 
extension via  "req.ssl_alpn", in a similar vein to "req.ssl_sni".

It is useful for pass-thru of TLS connections in scenarios like ACME's 
tls-alpn-01.

Thank you
Alex
>From 8008e5e8f23747741ed005f56c247bcd366cfda9 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <m...@gandi.net>
Date: Fri, 13 Oct 2017 12:15:28 +0200
Subject: [PATCH 1/3] MINOR: update proxy-protocol-v2 #define

Report #define from doc/proxy-protocol.txt.
---
 include/types/connection.h | 15 +++++++++++----
 src/connection.c           |  4 ++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/include/types/connection.h b/include/types/connection.h
index 1c923c578..eee75ec42 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -373,10 +373,17 @@ struct proxy_hdr_v2 {
 	} addr;
 };
 
-#define PP2_TYPE_SSL           0x20
-#define PP2_TYPE_SSL_VERSION   0x21
-#define PP2_TYPE_SSL_CN        0x22
-#define PP2_TYPE_NETNS         0x30
+#define PP2_TYPE_ALPN           0x01
+#define PP2_TYPE_AUTHORITY      0x02
+#define PP2_TYPE_CRC32C         0x03
+#define PP2_TYPE_NOOP           0x04
+#define PP2_TYPE_SSL            0x20
+#define PP2_SUBTYPE_SSL_VERSION 0x21
+#define PP2_SUBTYPE_SSL_CN      0x22
+#define PP2_SUBTYPE_SSL_CIPHER  0x23
+#define PP2_SUBTYPE_SSL_SIG_ALG 0x24
+#define PP2_SUBTYPE_SSL_KEY_ALG 0x25
+#define PP2_TYPE_NETNS          0x30
 
 #define TLV_HEADER_SIZE      3
 struct tlv {
diff --git a/src/connection.c b/src/connection.c
index 48f0ec331..a29bc2c32 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1037,7 +1037,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
 			tlv->client |= PP2_CLIENT_SSL;
 			value = ssl_sock_get_version(remote);
 			if (value) {
-				ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
+				ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_SUBTYPE_SSL_VERSION, strlen(value), value);
 			}
 			if (ssl_sock_get_cert_used_sess(remote)) {
 				tlv->client |= PP2_CLIENT_CERT_SESS;
@@ -1048,7 +1048,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
 				cn_trash = get_trash_chunk();
 				if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
-					ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
+					ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CN, cn_trash->len, cn_trash->str);
 				}
 			}
 		}
-- 
2.11.0

Reply via email to