Add support for HA PROXY v1 #22

cfcs · 2016-02-03T21:26:14Z

Resolves #6

This commit adds a flag (--haproxy1) which causes tlstunnel to send
connection details to the destination upon connection.

This is useful if running nginx, Varnish or similar behind tlstunnel in order
to obtain the IP of the client.

Example of a TCP/IPv4 connection from 127.0.0.1:39837 to 127.0.0.1:4433:

PROXY TCP4 127.0.0.1 127.0.0.1 39837 4433

Relevant nginx documentation on how to use the PROXY protocol: https://www.nginx.com/resources/admin-guide/proxy-protocol/

hannesm · 2016-02-03T23:17:42Z

this looks great, thanks... I'll merge tomorrow after I tried it somehow

hannesm · 2016-02-03T23:30:52Z

tlstunnel.ml

+ (* basically it looks like:
+ * PROXY TCP4 SOURCEIP DESTIP SRCPORT DESTPORT\r\n *)
+ let own_sockaddr = getsockname socket in
+ let peer_sockaddr = getpeername socket in


they should both be Unix.getXname...

Resolves hannesm#6 This commit adds a flag (`--haproxy1`) which causes tlstunnel to send connection details to the destination upon connection. This is useful if running `nginx`, `Varnish` or similar behind `tlstunnel` in order to obtain the IP of the client. Example of a TCP/IPv4 connection from 127.0.0.1:39837 to 127.0.0.1:4433: ``` PROXY TCP4 127.0.0.1 127.0.0.1 39837 4433 ``` Relevant `nginx` documentation on how to use the PROXY protocol: https://www.nginx.com/resources/admin-guide/proxy-protocol/

cfcs · 2016-02-04T00:28:30Z

Example usage for testing:

Run tlstunnel:

user@localhost:~/tlsping (master)$ ../tlstunnel/tlstunnel.native --cert proxy.public.certificate --key proxy.secret.key --haproxy1
[2016-02-04T00:22:33Z] listener started on 0.0.0.0:4433, forwarding to 127.0.0.1:8080
[2016-02-04T00:22:52Z] 127.0.0.1:54508: connection established (TLS version 1.2, TLS_DHE_RSA_WITH_AES_256_CCM)

netcat listener:

user@localhost:~$ nc -v -l -p 8080
listening on [any] 8080 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 50062
PROXY TCP4 127.0.0.1 127.0.0.1 54508 4433

connect using tlsclient:

user@localhost:~/tlsclient $ ./tlsclient.native localhost:4433

Add support for HA PROXY v1

avsm · 2016-02-04T11:28:40Z

tlstunnel.ml

+ let header = String.concat " "
+ [ "PROXY" ; protocol_string ; peer_addr ; own_addr ; peer_port ; own_port ]
+ in
+ header ^ "\r\n"


this could be folded into the above String.concat

Can you give an example?

you could:

String.concat " " [ "PROXY" ; protocol_string ; peer_addr ; own_addr ; peer_port ; own_port ^ "\r\n" ]

I'm undecided which is more readable...

Ah, right.
I'm fine with both, feel free to change it.

cfcs force-pushed the haproxy1 branch from 7726a04 to c3e6ed6 Compare February 3, 2016 21:30

cfcs mentioned this pull request Feb 3, 2016

HAProxy PROXY command #6

Closed

hannesm reviewed Feb 3, 2016
View reviewed changes

cfcs force-pushed the haproxy1 branch from e79cffa to b33ad99 Compare February 4, 2016 00:21

hannesm added a commit that referenced this pull request Feb 4, 2016

Merge pull request #22 from cfcs/haproxy1

85abd27

Add support for HA PROXY v1

hannesm merged commit 85abd27 into hannesm:master Feb 4, 2016

cfcs deleted the haproxy1 branch February 4, 2016 10:56

avsm reviewed Feb 4, 2016
View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for HA PROXY v1 #22

Add support for HA PROXY v1 #22

cfcs commented Feb 3, 2016

hannesm commented Feb 3, 2016

hannesm Feb 3, 2016

cfcs commented Feb 4, 2016

avsm Feb 4, 2016

cfcs Feb 4, 2016

hannesm Feb 4, 2016

cfcs Feb 4, 2016

Add support for HA PROXY v1 #22

Add support for HA PROXY v1 #22

Conversation

cfcs commented Feb 3, 2016

hannesm commented Feb 3, 2016

hannesm Feb 3, 2016

Choose a reason for hiding this comment

cfcs commented Feb 4, 2016

avsm Feb 4, 2016

Choose a reason for hiding this comment

cfcs Feb 4, 2016

Choose a reason for hiding this comment

hannesm Feb 4, 2016

Choose a reason for hiding this comment

cfcs Feb 4, 2016

Choose a reason for hiding this comment