This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new f7bdee6 Add incoming PROXY Protocol v2 support (#7340)
f7bdee6 is described below
commit f7bdee616ebec26b2746ce50c75eaacab7571554
Author: Masaori Koshiba
AuthorDate: Tue Jan 26 08:04:44 2021 +0900
Add incoming PROXY Protocol v2 support (#7340)
TCP support only for now. UDP, UNIX Domain Socket, and TLVs are out of
scope.
---
.../configuration/proxy-protocol.en.rst| 6 +-
iocore/net/ProxyProtocol.cc| 137 +-
iocore/net/ProxyProtocol.h | 2 +-
iocore/net/unit_tests/test_ProxyProtocol.cc| 292 -
4 files changed, 424 insertions(+), 13 deletions(-)
diff --git a/doc/admin-guide/configuration/proxy-protocol.en.rst
b/doc/admin-guide/configuration/proxy-protocol.en.rst
index 8df27d1..adf61f6 100644
--- a/doc/admin-guide/configuration/proxy-protocol.en.rst
+++ b/doc/admin-guide/configuration/proxy-protocol.en.rst
@@ -31,7 +31,7 @@ TLS connections.
.. note::
-The current version only supports transforming client IP from PROXY
Version 1
+The current version only supports transforming client IP from PROXY
Version 1/2
header to the Forwarded: header.
In the current implementation, the client IP address in the PROXY protocol
header
@@ -41,7 +41,7 @@ is passed to the origin server via an HTTP `Forwarded:
The Proxy Protocol must be enabled on each port. See
:ts:cv:`proxy.config.http.server_ports` for information on how to enable the
Proxy Protocol on a port. Once enabled, all incoming requests must be prefaced
-with the PROXY v1 header. Any request not preface by this header will be
+with the PROXY v1/v2 header. Any request not preface by this header will be
dropped.
As a security measure, an optional list of trusted IP addresses may be
@@ -50,7 +50,7 @@ configured with
:ts:cv:`proxy.config.http.proxy_protocol_allowlist`.
.. important::
If the allowlist is configured, requests will only be accepted from
these
- IP addresses and must be prefaced with the PROXY v1 header.
+ IP addresses and must be prefaced with the PROXY v1/v2 header.
See :ts:cv:`proxy.config.http.insert_forwarded` for configuration information.
Detection of the PROXY protocol header is automatic. If the PROXY header
diff --git a/iocore/net/ProxyProtocol.cc b/iocore/net/ProxyProtocol.cc
index 2de8673..452f63b 100644
--- a/iocore/net/ProxyProtocol.cc
+++ b/iocore/net/ProxyProtocol.cc
@@ -34,15 +34,57 @@ namespace
using namespace std::literals;
constexpr ts::TextView PPv1_CONNECTION_PREFACE = "PROXY"sv;
-constexpr ts::TextView PPv2_CONNECTION_PREFACE =
"\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02"sv;
+constexpr ts::TextView PPv2_CONNECTION_PREFACE =
"\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"sv;
constexpr size_t PPv1_CONNECTION_HEADER_LEN_MIN = 15;
-constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16;
constexpr ts::TextView PPv1_PROTO_UNKNOWN = "UNKNOWN"sv;
constexpr ts::TextView PPv1_PROTO_TCP4= "TCP4"sv;
constexpr ts::TextView PPv1_PROTO_TCP6= "TCP6"sv;
+constexpr uint8_t PPv2_CMD_LOCAL = 0x20;
+constexpr uint8_t PPv2_CMD_PROXY = 0x21;
+
+constexpr uint8_t PPv2_PROTO_UNSPEC= 0x00;
+constexpr uint8_t PPv2_PROTO_TCP4 = 0x11;
+constexpr uint8_t PPv2_PROTO_UDP4 = 0x12;
+constexpr uint8_t PPv2_PROTO_TCP6 = 0x21;
+constexpr uint8_t PPv2_PROTO_UDP6 = 0x22;
+constexpr uint8_t PPv2_PROTO_UNIX_STREAM = 0x31;
+constexpr uint8_t PPv2_PROTO_UNIX_DATAGRAM = 0x32;
+
+constexpr uint16_t PPv2_ADDR_LEN_INET = 4 + 4 + 2 + 2;
+constexpr uint16_t PPv2_ADDR_LEN_INET6 = 16 + 16 + 2 + 2;
+// constexpr uint16_t PPv2_ADDR_LEN_UNIX = 108 + 108;
+
+struct PPv2Hdr {
+ uint8_t sig[12]; ///< preface
+ uint8_t ver_cmd; ///< protocol version and command
+ uint8_t fam; ///< protocol family and transport
+ uint16_t len;///< number of following bytes part of the header
+ union {
+// for TCP/UDP over IPv4, len = 12 (PPv2_ADDR_LEN_INET)
+struct {
+ uint32_t src_addr;
+ uint32_t dst_addr;
+ uint16_t src_port;
+ uint16_t dst_port;
+} ip4;
+// for TCP/UDP over IPv6, len = 36 (PPv2_ADDR_LEN_INET6)
+struct {
+ uint8_t src_addr[16];
+ uint8_t dst_addr[16];
+ uint16_t src_port;
+ uint16_t dst_port;
+} ip6;
+// for AF_UNIX sockets, len = 216 (PPv2_ADDR_LEN_UNIX)
+struct {
+ uint8_t src_addr[108];
+ uint8_t dst_addr[108];
+} unix;
+ } addr;
+};
+
/**
PROXY Protocol v1 Parser
@@ -166,13 +208,100 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info,
ts::TextView hdr)
/**
PROXY Protocol v2 Parser
+ TODO: TLVs Support
+
@return read length
*/
size_t