On 9/26/19 19:27, Emmanuel Hocdet wrote:
> 
>>>
>>> Proposal reworking after playing with « authority » and look at how « src 
>>> »/« dst » are working.
>>>
>>> Authority » can come from transport layer (TLS), ProxyV2 TLV or « 
>>> set-authority ».
>>> « src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol 
>>> and « set-{src,dst} »
>>> I propose to do the same for « authority » sample fetch:
>>> pick « authority » from « set-authority, Proxy-protocol, and transport 
>>> layer (in this order)
>>> . It’s already what authority is in « proxy-v2-options authority"
>>>  => « fc_pp_authority » disappears in favour of the generic « authority » 
>>> sample fetch
>>
>> Some thoughts that come to mind -- it sounds like there will be a bit of
>> "magic" at work here, so will it be transparent to the user? Will users
>> find that the authority field is being set and they wonder where it came
>> from?
> 
> I think we can. It will simplify the usage in the vast majority of cases.

OK

>> And I wonder if there are situations in which someone will want to
>> specifically choose one source of truth for authority over the other.
>> Suppose an incoming connection uses TLS with an SNI, and the peer
>> component also sends an authority TLV via Proxy. Is a situation
>> imaginable in which only one of them is getting it "right", for the
>> purposes of haproxy, and the config author wants to be sure to catch
>> that one only?
> 
> You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS.

Then if I understand correctly:

- when you prefer the authority value from TLS, use the ssl_fc_sni fetch

- if you prefer the value from the Proxy TLV, just use the authority
fetch, since that one prefers the TLV over the value from TLS, according
to the rules described above.

Is that right?


Best,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to