Attention is currently required from: flichtenheld, plaisthos. ralf_lici has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/685?usp=email )
Change subject: Add support for HAProxy's PROXY protocol ...................................................................... Patch Set 1: (11 comments) Patchset: PS1: > Only looked through it superficially. […] Sure, I'm working on it File CMakeLists.txt: http://gerrit.openvpn.net/c/openvpn/+/685/comment/7290bcc7_a1b2bf59 : PS1, Line 494: src/openvpn/proxy_protocol.h > haproxy_protocol.c/haproxy_protol.h […] Acknowledged File doc/proxy-protocol.txt: http://gerrit.openvpn.net/c/openvpn/+/685/comment/98eb2e63_aa08eed1 : PS1, Line 8: https://www.haproxy.org/download/2.4/doc/proxy-protocol.txt > Is this just a copy and paste of the document or is this addition to that > document? It would be good […] Acknowledged http://gerrit.openvpn.net/c/openvpn/+/685/comment/7d238309_2cbc8ac3 : PS1, Line 11: a binary version (v2). > Is this protocol TCP only? I assume so, so would be good to mention this. It also supports UDP but we only handle the TCP case so I will state it more clearly in the document. http://gerrit.openvpn.net/c/openvpn/+/685/comment/83291020_4f4e27ad : PS1, Line 26: --------- > Why are supporting two new protocls? Is there a need to introduce an already > deprecated protocol to […] Actually, as far as I have seen, currently some proxies only support v1 (eg. stunnel) so I don't think this version can be considered deprecated yet. http://gerrit.openvpn.net/c/openvpn/+/685/comment/e62ae60e_87dd1528 : PS1, Line 97: The v2 signature of the protocol: "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x20". > Really? The singnature is '\r\n\r\n\x00\r\nQUIT\n'? Yes. Citing the specification (section 6): This means that most protocols and implementations will not be confused by an incoming connection exhibiting the protocol signature, which avoids issues when facing misconfigurations. http://gerrit.openvpn.net/c/openvpn/+/685/comment/55c354bf_e38e4ac0 : PS1, Line 108: > What does this mean in the openvpn context? Basically LOCAL commands are used when the proxy sends health-checks to the server and therefore I guess these should never arrive to an openvpn server and should be ignored. I will add this info to the document http://gerrit.openvpn.net/c/openvpn/+/685/comment/a24cdcda_47d21b79 : PS1, Line 115: DGRAM (0x2). > if this is dgram, is the protocol still over tcp or does it use UDP then? The PROXY protocol works both with TCP and with UDP but we support only TCP. I will write in the document that we support only TCP. File src/openvpn/proxy_protocol.h: http://gerrit.openvpn.net/c/openvpn/+/685/comment/9bd9130b_22b62cc0 : PS1, Line 8: * Copyright (C) 2002-2024 OpenVPN Inc <sa...@openvpn.net> > Wrong copyright Acknowledged File src/openvpn/proxy_protocol.c: http://gerrit.openvpn.net/c/openvpn/+/685/comment/af015d00_a4fef0e9 : PS1, Line 8: * Copyright (C) 2002-2024 OpenVPN Inc <sa...@openvpn.net> > Wrong copyright Acknowledged File src/openvpn/socket.c: http://gerrit.openvpn.net/c/openvpn/+/685/comment/a5c360d3_bd5f87ca : PS1, Line 2684: /* check if it's a PROXY protocol header */ > I don't think this is the right place to add this. […] It's true that it doesn't get executed only on the first packet. However, there's a change in multi.c that checks if the header is present only once at the beginning of a TCP connection and parses it. So, even if we were to detect a proxy header later, we would not parse it. Additionally, we don't expect proxy headers after the connection has begun. Therefore, if we end up in this "if" condition, it will probably be due to a malformed packet, and the connection will be dropped. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/685?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I9766c68feaba71279f26c3310eee4b5ca215e6ac Gerrit-Change-Number: 685 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <r...@mandelbit.com> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Comment-Date: Fri, 26 Jul 2024 13:27:26 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: plaisthos <arne-open...@rfc2549.org> Comment-In-Reply-To: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
