Re: More on the HAProxy proxy protocol

[Poul-Henning Kamp]

In message <20131111153413.ga27...@immer.varnish-software.com>, Lasse Karstense
n writes:

>1. Extend the -a startup argument with a protocol definition:

We may be facing the same kind of issue with HTTP/2.0 but my best
idea so far was:

        -a :80+http1+http2

>    varnishd -a proxy@192.0.2.10:80 -f /etc/varnish/foo.vcl
>    varnishd -a proxy2@192.0.2.10:80 -f /etc/varnish/foo.vcl

<rant>
I wish people would learn to name things sensibly.  Calling a protocol
"proxy" is a recipe for confusion
</rant>

>Per the specification any connection not sending a proxy header to such a
>socket should be a hard error.

Yes, I noticed that too, and that sort of made me lean towards allocating
a specific command line argument (-p ?)

>It might be necessary to filter what clients are allowed to connect to this
>socket [...]

I don't think that is really our job, but see below.

>2. VCL interface
>
>In VCL we now have client.ip, server.ip and server.port available. These
>are now (as I understand it) picked directly from the socket endpoints.

I've been thinking about something like this:

        remote.ip       // [IP Other end of TCP connection
        remote.port     // [INT Our sockets peer-address

        local.ip        // [IP own end of the TCP connection
        local.port      // [INT sockets local address


        client.ip       // [IP] Which IP$ client to connected to our end from.
                        // if proto == PROXY
                        //      set from PROXY.hdr
                        // else
                        //      set from remote.ip

        server.ip       // [IP] Which IP# client connected to in our end.
        server.port     // [INT]
                        // if proto == PROXY
                        //      set from PROXY.hdr
                        // else
                        //      set from our.*

        client.identity // Best case ultimate client identity
                        // if X-F-F:
                        //      set from X-F-F
                        // else
                        //      set from client.ip

I'm somewhat tempted to make client.identity a STRING, rather than
an IP, to make it clear to people that running it through an ACL
is a bad idea.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
p...@freebsd.org         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-dev mailing list
varnish-dev@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev