[jira] [Work logged] (ARTEMIS-3915) Support PROXY Protocol

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3915?focusedWorklogId=984603&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-984603
 ]

ASF GitHub Bot logged work on ARTEMIS-3915:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Sep/25 17:31
            Start Date: 25/Sep/25 17:31
    Worklog Time Spent: 10m 
      Work Description: tabish121 commented on code in PR #5908:
URL: https://github.com/apache/activemq-artemis/pull/5908#discussion_r2379854291


##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/HAProxyMessageEnforcer.java:
##########
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.core.remoting.impl.netty;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
+import org.apache.activemq.artemis.utils.SocketAddressUtil;
+
+/**
+ * This Netty handler enforces the presence or absence of PROXY protocol 
messages. It verifies conformity and then
+ * removes itself from the pipeline.
+ * <p>
+ * If the incoming message protocol does not align with the enforcer's 
requirements the connection is closed.
+ */
+@ChannelHandler.Sharable
+public class HAProxyMessageEnforcer extends ChannelInboundHandlerAdapter {
+
+   public static final HAProxyMessageEnforcer PROXY_PROTOCOL_REQUIRED = new 
HAProxyMessageEnforcer(true);
+
+   public static final HAProxyMessageEnforcer PROXY_PROTOCOL_REJECTED = new 
HAProxyMessageEnforcer(false);
+
+   final boolean requireHaProxyMessage;
+
+   HAProxyMessageEnforcer(boolean requireHaProxyMessage) {
+      this.requireHaProxyMessage = requireHaProxyMessage;
+   }
+
+   @Override
+   public void channelRead(ChannelHandlerContext ctx, Object msg) throws 
Exception {
+      ByteBuf in = (ByteBuf) msg;
+      if (in.readableBytes() < 4) {

Review Comment:
   I've realized there is a bug here now that this is acting as a shared static 
handler that likely means you would want to revert to using new instances with 
this being a ByteToMessageDecoder subclass.  The problem would arise on both 
proxy enabled and not enabled cases but likely is more of an issue in the 
non-proxy enabled case where the needed bytes don't arrive in the first packet 
leaded to dropping the first bytes sent on the connection.  I created a test 
case to add to HAProxyTest that shows this:
   ```
   
   diff --git 
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/proxyprotocol/HAProxyTest.java
 
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/proxyprotocol/HAProxyTest.java
   index f877dea06b..f15878897e 100644
   -

Issue Time Tracking
-------------------

    Worklog Id:     (was: 984603)
    Time Spent: 11h 50m  (was: 11h 40m)

> Support PROXY Protocol
> ----------------------
>
>                 Key: ARTEMIS-3915
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3915
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: Broker
>            Reporter: João Santos
>            Assignee: Justin Bertram
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 11h 50m
>  Remaining Estimate: 0h
>
> [HAProxy|http://www.haproxy.org/] is a widely known and used TCP Load 
> Balancer and especially useful for an ActiveMQ Artemis clustered environment.
> Although possible to functionally implement with both products current 
> features, Artemis does not support the PROXY protocol, which prevents it's 
> broker nodes from inferring the real remote client IP address when behind an 
> HAProxy instance.
> Since Netty sockets implementation already seems to support this protocol 
> (discussed w/ [~jbertram] on DEV mailing list), it shouldn't be a big leap to 
> adding support for the protocol on Artemis acceptors, thus improving the 
> deployment of the use case at hand.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact