projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
package: haproxy
[openwrt/svn-archive/archive.git] / net / haproxy / patches / 001-haproxy-1.4.x-sendproxy.patch
1 Index: haproxy-1.4.19/doc/configuration.txt
2 ===================================================================
3 --- haproxy-1.4.19.orig/doc/configuration.txt
4 +++ haproxy-1.4.19/doc/configuration.txt
5 @@ -1337,6 +1337,7 @@ bind [<address>]:<port_range> [, ...] tr
6 bind [<address>]:<port_range> [, ...] id <id>
7 bind [<address>]:<port_range> [, ...] name <name>
8 bind [<address>]:<port_range> [, ...] defer-accept
9 +bind [<address>]:<port_range> [, ...] accept-proxy
10 Define one or several listening addresses and/or ports in a frontend.
11 May be used in sections : defaults | frontend | listen | backend
12 no | yes | yes | no
13 @@ -1417,6 +1418,19 @@ bind [<address>]:<port_range> [, ...] de
14 with front firewalls which would see an established
15 connection while the proxy will only see it in SYN_RECV.
16
17 + accept-proxy is an optional keyword which enforces use of the PROXY
18 + protocol over any connection accepted by this listener. The
19 + PROXY protocol dictates the layer 3/4 addresses of the
20 + incoming connection to be used everywhere an address is used,
21 + with the only exception of "tcp-request connection" rules
22 + which will only see the real connection address. Logs will
23 + reflect the addresses indicated in the protocol, unless it is
24 + violated, in which case the real address will still be used.
25 + This keyword combined with support from external components
26 + can be used as an efficient and reliable alternative to the
27 + X-Forwarded-For mechanism which is not always reliable and
28 + not even always usable.
29 +
30 It is possible to specify a list of address:port combinations delimited by
31 commas. The frontend will then listen on all of these addresses. There is no
32 fixed limit to the number of addresses and ports which can be listened on in
33 @@ -1427,8 +1441,10 @@ bind [<address>]:<port_range> [, ...] de
34 listen http_proxy
35 bind :80,:443
36 bind 10.0.0.1:10080,10.0.0.1:10443
37 + bind 127.0.0.1:8443 accept-proxy
38
39 - See also : "source".
40 + See also : "source", "option forwardfor" and the PROXY protocol
41 + documentation.
42
43
44 bind-process [ all | odd | even | <number 1-32> ] ...
45 @@ -7215,7 +7231,9 @@ marked with a star ('*') after the field
46
47 Detailed fields description :
48 - "client_ip" is the IP address of the client which initiated the TCP
49 - connection to haproxy.
50 + connection to haproxy. Note that when the connection is accepted on a
51 + socket configured with "accept-proxy" and the PROXY protocol is correctly
52 + used, then the logs will reflect the forwarded connection's information.
53
54 - "client_port" is the TCP port of the client which initiated the connection.
55
56 @@ -7388,7 +7406,9 @@ with a star ('*') after the field name b
57
58 Detailed fields description :
59 - "client_ip" is the IP address of the client which initiated the TCP
60 - connection to haproxy.
61 + connection to haproxy. Note that when the connection is accepted on a
62 + socket configured with "accept-proxy" and the PROXY protocol is correctly
63 + used, then the logs will reflect the forwarded connection's information.
64
65 - "client_port" is the TCP port of the client which initiated the connection.
66
67 Index: haproxy-1.4.19/include/common/standard.h
68 ===================================================================
69 --- haproxy-1.4.19.orig/include/common/standard.h
70 +++ haproxy-1.4.19/include/common/standard.h
71 @@ -269,6 +269,28 @@ static inline unsigned int __strl2uic(co
72 return i;
73 }
74
75 +/* This function reads an unsigned integer from the string pointed to by <s>
76 + * and returns it. The <s> pointer is adjusted to point to the first unread
77 + * char. The function automatically stops at <end>.
78 + */
79 +static inline unsigned int __read_uint(const char **s, const char *end)
80 +{
81 + const char *ptr = *s;
82 + unsigned int i = 0;
83 + unsigned int j, k;
84 +
85 + while (ptr < end) {
86 + j = *ptr - '0';
87 + k = i * 10;
88 + if (j > 9)
89 + break;
90 + i = k + j;
91 + ptr++;
92 + }
93 + *s = ptr;
94 + return i;
95 +}
96 +
97 extern unsigned int str2ui(const char *s);
98 extern unsigned int str2uic(const char *s);
99 extern unsigned int strl2ui(const char *s, int len);
100 @@ -276,6 +298,7 @@ extern unsigned int strl2uic(const char
101 extern int strl2ic(const char *s, int len);
102 extern int strl2irc(const char *s, int len, int *ret);
103 extern int strl2llrc(const char *s, int len, long long *ret);
104 +extern unsigned int read_uint(const char **s, const char *end);
105 unsigned int inetaddr_host(const char *text);
106 unsigned int inetaddr_host_lim(const char *text, const char *stop);
107 unsigned int inetaddr_host_lim_ret(const char *text, char *stop, const char **ret);
108 Index: haproxy-1.4.19/include/proto/client.h
109 ===================================================================
110 --- haproxy-1.4.19.orig/include/proto/client.h
111 +++ haproxy-1.4.19/include/proto/client.h
112 @@ -25,6 +25,7 @@
113 #include <common/config.h>
114 #include <types/session.h>
115
116 +int frontend_decode_proxy_request(struct session *s, struct buffer *req, int an_bit);
117 void get_frt_addr(struct session *s);
118 int event_accept(int fd);
119
120 Index: haproxy-1.4.19/include/types/buffers.h
121 ===================================================================
122 --- haproxy-1.4.19.orig/include/types/buffers.h
123 +++ haproxy-1.4.19/include/types/buffers.h
124 @@ -135,16 +135,16 @@
125 * The field is blanked by buffer_init() and only by analysers themselves
126 * afterwards.
127 */
128 -#define AN_REQ_INSPECT 0x00000001 /* inspect request contents */
129 -#define AN_REQ_WAIT_HTTP 0x00000002 /* wait for an HTTP request */
130 -#define AN_REQ_HTTP_PROCESS_FE 0x00000004 /* process the frontend's HTTP part */
131 -#define AN_REQ_SWITCHING_RULES 0x00000008 /* apply the switching rules */
132 -#define AN_REQ_HTTP_PROCESS_BE 0x00000010 /* process the backend's HTTP part */
133 -#define AN_REQ_HTTP_INNER 0x00000020 /* inner processing of HTTP request */
134 -#define AN_REQ_HTTP_TARPIT 0x00000040 /* wait for end of HTTP tarpit */
135 -#define AN_REQ_HTTP_BODY 0x00000080 /* inspect HTTP request body */
136 -#define AN_REQ_STICKING_RULES 0x00000100 /* table persistence matching */
137 -/* unused: 0x200 */
138 +#define AN_REQ_DECODE_PROXY 0x00000001 /* take the proxied address from a 'PROXY' line */
139 +#define AN_REQ_INSPECT 0x00000002 /* inspect request contents */
140 +#define AN_REQ_WAIT_HTTP 0x00000004 /* wait for an HTTP request */
141 +#define AN_REQ_HTTP_PROCESS_FE 0x00000008 /* process the frontend's HTTP part */
142 +#define AN_REQ_SWITCHING_RULES 0x00000010 /* apply the switching rules */
143 +#define AN_REQ_HTTP_PROCESS_BE 0x00000020 /* process the backend's HTTP part */
144 +#define AN_REQ_HTTP_INNER 0x00000040 /* inner processing of HTTP request */
145 +#define AN_REQ_HTTP_TARPIT 0x00000080 /* wait for end of HTTP tarpit */
146 +#define AN_REQ_HTTP_BODY 0x00000100 /* inspect HTTP request body */
147 +#define AN_REQ_STICKING_RULES 0x00000200 /* table persistence matching */
148 #define AN_REQ_PRST_RDP_COOKIE 0x00000400 /* persistence on rdp cookie */
149 #define AN_REQ_HTTP_XFER_BODY 0x00000800 /* forward request body */
150
151 Index: haproxy-1.4.19/include/types/protocols.h
152 ===================================================================
153 --- haproxy-1.4.19.orig/include/types/protocols.h
154 +++ haproxy-1.4.19/include/types/protocols.h
155 @@ -72,6 +72,7 @@
156 #define LI_O_FOREIGN 0x0002 /* permit listening on foreing addresses */
157 #define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */
158 #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */
159 +#define LI_O_ACC_PROXY 0x0010 /* find the proxied address in the first request line */
160
161 /* The listener will be directly referenced by the fdtab[] which holds its
162 * socket. The listener provides the protocol-specific accept() function to
163 Index: haproxy-1.4.19/src/cfgparse.c
164 ===================================================================
165 --- haproxy-1.4.19.orig/src/cfgparse.c
166 +++ haproxy-1.4.19/src/cfgparse.c
167 @@ -1464,6 +1464,16 @@ int cfg_parse_listen(const char *file, i
168 #endif
169 }
170
171 + if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
172 + struct listener *l;
173 +
174 + for (l = curproxy->listen; l != last_listen; l = l->next)
175 + l->options |= LI_O_ACC_PROXY;
176 +
177 + cur_arg ++;
178 + continue;
179 + }
180 +
181 if (!strcmp(args[cur_arg], "name")) {
182 struct listener *l;
183
184 @@ -1516,7 +1526,7 @@ int cfg_parse_listen(const char *file, i
185 continue;
186 }
187
188 - Alert("parsing [%s:%d] : '%s' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.\n",
189 + Alert("parsing [%s:%d] : '%s' only supports the 'transparent', 'accept-proxy', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.\n",
190 file, linenum, args[0]);
191 err_code |= ERR_ALERT | ERR_FATAL;
192 goto out;
193 @@ -5702,6 +5712,9 @@ out_uri_auth_compat:
194 listener->handler = process_session;
195 listener->analysers |= curproxy->fe_req_ana;
196
197 + if (listener->options & LI_O_ACC_PROXY)
198 + listener->analysers |= AN_REQ_DECODE_PROXY;
199 +
200 /* smart accept mode is automatic in HTTP mode */
201 if ((curproxy->options2 & PR_O2_SMARTACC) ||
202 (curproxy->mode == PR_MODE_HTTP &&
203 Index: haproxy-1.4.19/src/client.c
204 ===================================================================
205 --- haproxy-1.4.19.orig/src/client.c
206 +++ haproxy-1.4.19/src/client.c
207 @@ -22,6 +22,7 @@
208
209 #include <common/compat.h>
210 #include <common/config.h>
211 +#include <common/debug.h>
212 #include <common/time.h>
213
214 #include <types/global.h>
215 @@ -43,6 +44,191 @@
216 #include <proto/task.h>
217
218
219 +/* This analyser tries to fetch a line from the request buffer which looks like :
220 + *
221 + * "PROXY" <SP> PROTO <SP> SRC3 <SP> DST3 <SP> SRC4 <SP> <DST4> "\r\n"
222 + *
223 + * There must be exactly one space between each field. Fields are :
224 + * - PROTO : layer 4 protocol, which must be "TCP4" or "TCP6".
225 + * - SRC3 : layer 3 (eg: IP) source address in standard text form
226 + * - DST3 : layer 3 (eg: IP) destination address in standard text form
227 + * - SRC4 : layer 4 (eg: TCP port) source address in standard text form
228 + * - DST4 : layer 4 (eg: TCP port) destination address in standard text form
229 + *
230 + * This line MUST be at the beginning of the buffer and MUST NOT wrap.
231 + *
232 + * Once the data is fetched, the values are set in the session's field and data
233 + * are removed from the buffer. The function returns zero if it needs to wait
234 + * for more data (max: timeout_client), or 1 if it has finished and removed itself.
235 + */
236 +int frontend_decode_proxy_request(struct session *s, struct buffer *req, int an_bit)
237 +{
238 + char *line = req->data;
239 + char *end = req->data + req->l;
240 + int len;
241 +
242 + DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
243 + now_ms, __FUNCTION__,
244 + s,
245 + req,
246 + req->rex, req->wex,
247 + req->flags,
248 + req->l,
249 + req->analysers);
250 +
251 + if (req->flags & (BF_READ_ERROR|BF_READ_TIMEOUT))
252 + goto fail;
253 +
254 + len = MIN(req->l, 6);
255 + if (!len)
256 + goto missing;
257 +
258 + /* Decode a possible proxy request, fail early if it does not match */
259 + if (strncmp(line, "PROXY ", len) != 0)
260 + goto fail;
261 +
262 + line += 6;
263 + if (req->l < 18) /* shortest possible line */
264 + goto missing;
265 +
266 + if (!memcmp(line, "TCP4 ", 5) != 0) {
267 + u32 src3, dst3, sport, dport;
268 +
269 + line += 5;
270 +
271 + src3 = inetaddr_host_lim_ret(line, end, &line);
272 + if (line == end)
273 + goto missing;
274 + if (*line++ != ' ')
275 + goto fail;
276 +
277 + dst3 = inetaddr_host_lim_ret(line, end, &line);
278 + if (line == end)
279 + goto missing;
280 + if (*line++ != ' ')
281 + goto fail;
282 +
283 + sport = read_uint((const char **)&line, end);
284 + if (line == end)
285 + goto missing;
286 + if (*line++ != ' ')
287 + goto fail;
288 +
289 + dport = read_uint((const char **)&line, end);
290 + if (line > end - 2)
291 + goto missing;
292 + if (*line++ != '\r')
293 + goto fail;
294 + if (*line++ != '\n')
295 + goto fail;
296 +
297 + /* update the session's addresses and mark them set */
298 + ((struct sockaddr_in *)&s->cli_addr)->sin_family = AF_INET;
299 + ((struct sockaddr_in *)&s->cli_addr)->sin_addr.s_addr = htonl(src3);
300 + ((struct sockaddr_in *)&s->cli_addr)->sin_port = htons(sport);
301 +
302 + ((struct sockaddr_in *)&s->frt_addr)->sin_family = AF_INET;
303 + ((struct sockaddr_in *)&s->frt_addr)->sin_addr.s_addr = htonl(dst3);
304 + ((struct sockaddr_in *)&s->frt_addr)->sin_port = htons(dport);
305 + s->flags |= SN_FRT_ADDR_SET;
306 +
307 + }
308 + else if (!memcmp(line, "TCP6 ", 5) != 0) {
309 + u32 sport, dport;
310 + char *src_s;
311 + char *dst_s, *sport_s, *dport_s;
312 + struct in6_addr src3, dst3;
313 +
314 + line+=5;
315 +
316 + src_s = line;
317 + dst_s = sport_s = dport_s = NULL;
318 + while (1) {
319 + if (line > end - 2) {
320 + goto missing;
321 + }
322 + else if (*line == '\r') {
323 + *line = 0;
324 + line++;
325 + if (*line++ != '\n')
326 + goto fail;
327 + break;
328 + }
329 +
330 + if (*line == ' ') {
331 + *line = 0;
332 + if (!dst_s)
333 + dst_s = line+1;
334 + else if (!sport_s)
335 + sport_s = line+1;
336 + else if (!dport_s)
337 + dport_s = line+1;
338 + }
339 + line++;
340 + }
341 +
342 + if (!dst_s || !sport_s || !dport_s)
343 + goto fail;
344 +
345 + sport = read_uint((const char **)&sport_s,dport_s-1);
346 + if ( *sport_s != 0 )
347 + goto fail;
348 +
349 + dport = read_uint((const char **)&dport_s,line-2);
350 + if ( *dport_s != 0 )
351 + goto fail;
352 +
353 + if (inet_pton(AF_INET6, src_s, (void *)&src3) != 1)
354 + goto fail;
355 +
356 + if (inet_pton(AF_INET6, dst_s, (void *)&dst3) != 1)
357 + goto fail;
358 +
359 + /* update the session's addresses and mark them set */
360 + ((struct sockaddr_in6 *)&s->cli_addr)->sin6_family = AF_INET6;
361 + memcpy(&((struct sockaddr_in6 *)&s->cli_addr)->sin6_addr, &src3, sizeof(struct in6_addr));
362 + ((struct sockaddr_in6 *)&s->cli_addr)->sin6_port = htons(sport);
363 +
364 + ((struct sockaddr_in6 *)&s->frt_addr)->sin6_family = AF_INET6;
365 + memcpy(&((struct sockaddr_in6 *)&s->frt_addr)->sin6_addr, &dst3, sizeof(struct in6_addr));
366 + ((struct sockaddr_in6 *)&s->frt_addr)->sin6_port = htons(dport);
367 + s->flags |= SN_FRT_ADDR_SET;
368 + }
369 + else {
370 + goto fail;
371 + }
372 +
373 + /* remove the PROXY line from the request */
374 + len = line - req->data;
375 + buffer_replace2(req, req->data, line, NULL, 0);
376 + req->total -= len; /* don't count the header line */
377 +
378 + req->analysers &= ~an_bit;
379 + return 1;
380 +
381 + missing:
382 + if (!(req->flags & (BF_SHUTR|BF_FULL))) {
383 + buffer_dont_connect(s->req);
384 + return 0;
385 + }
386 + /* missing data and buffer is either full or shutdown => fail */
387 +
388 + fail:
389 + buffer_abort(req);
390 + buffer_abort(s->rep);
391 + req->analysers = 0;
392 +
393 + s->fe->counters.failed_req++;
394 + if (s->listener->counters)
395 + s->listener->counters->failed_req++;
396 +
397 + if (!(s->flags & SN_ERR_MASK))
398 + s->flags |= SN_ERR_PRXCOND;
399 + if (!(s->flags & SN_FINST_MASK))
400 + s->flags |= SN_FINST_R;
401 + return 0;
402 +}
403 +
404 /* Retrieves the original destination address used by the client, and sets the
405 * SN_FRT_ADDR_SET flag.
406 */
407 Index: haproxy-1.4.19/src/proto_http.c
408 ===================================================================
409 --- haproxy-1.4.19.orig/src/proto_http.c
410 +++ haproxy-1.4.19/src/proto_http.c
411 @@ -4028,7 +4028,8 @@ void http_end_txn_clean_session(struct s
412 if (s->rep->lr >= s->rep->data + s->rep->size)
413 s->rep->lr -= s->req->size;
414
415 - s->req->analysers |= s->fe->fe_req_ana;
416 + s->req->analysers = s->fe->fe_req_ana;
417 + s->req->analysers &= ~AN_REQ_DECODE_PROXY;
418 s->rep->analysers = 0;
419
420 http_silent_debug(__LINE__, s);
421 @@ -7553,7 +7554,6 @@ void http_reset_txn(struct session *s)
422 http_init_txn(s);
423
424 s->be = s->fe;
425 - s->req->analysers = s->listener->analysers;
426 s->logs.logwait = s->fe->to_log;
427 s->srv = s->prev_srv = s->srv_conn = NULL;
428 /* re-init store persistence */
429 Index: haproxy-1.4.19/src/session.c
430 ===================================================================
431 --- haproxy-1.4.19.orig/src/session.c
432 +++ haproxy-1.4.19/src/session.c
433 @@ -1055,6 +1055,12 @@ resync_stream_interface:
434 while (ana_list && max_loops--) {
435 /* Warning! ensure that analysers are always placed in ascending order! */
436
437 + if (ana_list & AN_REQ_DECODE_PROXY) {
438 + if (!frontend_decode_proxy_request(s, s->req, AN_REQ_DECODE_PROXY))
439 + break;
440 + UPDATE_ANALYSERS(s->req->analysers, ana_list, ana_back, AN_REQ_DECODE_PROXY);
441 + }
442 +
443 if (ana_list & AN_REQ_INSPECT) {
444 if (!tcp_inspect_request(s, s->req, AN_REQ_INSPECT))
445 break;
446 Index: haproxy-1.4.19/src/standard.c
447 ===================================================================
448 --- haproxy-1.4.19.orig/src/standard.c
449 +++ haproxy-1.4.19/src/standard.c
450 @@ -569,6 +569,11 @@ unsigned int strl2uic(const char *s, int
451 return __strl2uic(s, len);
452 }
453
454 +unsigned int read_uint(const char **s, const char *end)
455 +{
456 + return __read_uint(s, end);
457 +}
458 +
459 /* This one is 7 times faster than strtol() on athlon with checks.
460 * It returns the value of the number composed of all valid digits read,
461 * and can process negative numbers too.
OpenWrt SVN history