Proposal reworking after playing with « authority » and look at how « src »/« dst » are working.

Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ».
« src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} »
I propose to do the same for « authority » sample fetch:
pick « authority » from « set-authority, Proxy-protocol, and transport layer (in this order)
 . It’s already what authority is in « proxy-v2-options authority"
  => « fc_pp_authority » disappears in favour of the generic « authority » sample fetch


listen offload
       mode tcp
       bind :80
       bind :443 ssl crt-list /etc/haproxy/crtbindlist.cfg
       server bla send-proxy-v2 proxy-v2-options authority

listen onload
       mode tcp
       bind accept-proxy

       acl has_authority authority -m found
       tcp-request inspect-delay 5s
       tcp-request content set-authority hdr(Host),lower if !has_authority
       tcp-request content reject if !has_authority
       server srvssl ssl verify none sni authority

  Note: in case of:
   tcp-request connection set-authority str(authbla)
   « authority » is set before  ProxyV2, and will be overwritten by TLV authority.

Included my patch for that proposal. (could be split with comments from this mail)


Attachment: 0001-MINOR-connection-add-set-authority-and-normalize-aut.patch
Description: Binary data

Reply via email to