diff --git a/integration-tests/server_tester.go b/integration-tests/server_tester.go index 69de18a7..27cc01f8 100644 --- a/integration-tests/server_tester.go +++ b/integration-tests/server_tester.go @@ -103,6 +103,7 @@ func newServerTesterInternal(src_args []string, t *testing.T, handler http.Handl backendTLS := false dns := false externalDNS := false + acceptProxyProtocol := false for _, k := range src_args { switch k { case "--http2-bridge": @@ -112,6 +113,8 @@ func newServerTesterInternal(src_args []string, t *testing.T, handler http.Handl case "--external-dns": dns = true externalDNS = true + case "--accept-proxy-protocol": + acceptProxyProtocol = true default: args = append(args, k) } @@ -160,12 +163,17 @@ func newServerTesterInternal(src_args []string, t *testing.T, handler http.Handl b += ";dns" } - noTLS := "no-tls" + noTLS := ";no-tls" if frontendTLS { noTLS = "" } - args = append(args, fmt.Sprintf("-f127.0.0.1,%v;%v", serverPort, noTLS), b, + var proxyProto string + if acceptProxyProtocol { + proxyProto = ";proxyproto" + } + + args = append(args, fmt.Sprintf("-f127.0.0.1,%v%v%v", serverPort, noTLS, proxyProto), b, "--errorlog-file="+logDir+"/log.txt", "-LINFO") authority := fmt.Sprintf("127.0.0.1:%v", connectPort) diff --git a/src/shrpx.cc b/src/shrpx.cc index cddbeb51..a3b9bab7 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1694,6 +1694,10 @@ Connections: default. Any requests which come through this address are replied with 200 HTTP status, without no body. + To accept PROXY protocol version 1 on frontend + connection, specify "proxyproto" parameter. This is + disabled by default. + Default: *,3000 --backlog= Set listen backlog size. @@ -1718,8 +1722,6 @@ Connections: timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options. - --accept-proxy-protocol - Accept PROXY protocol version 1 on frontend connection. Performance: -n, --workers= diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc index 33b53c1b..1280d452 100644 --- a/src/shrpx_client_handler.cc +++ b/src/shrpx_client_handler.cc @@ -413,7 +413,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl, auto config = get_config(); - if (config->conn.upstream.accept_proxy_protocol) { + if (faddr_->accept_proxy_protocol || + config->conn.upstream.accept_proxy_protocol) { read_ = &ClientHandler::read_clear; write_ = &ClientHandler::noop; on_read_ = &ClientHandler::proxy_protocol_read; diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 56aeaf5f..eb786e84 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -677,6 +677,7 @@ int parse_memcached_connection_params(MemcachedConnectionParams &out, struct UpstreamParams { int alt_mode; bool tls; + bool proxyproto; }; namespace { @@ -705,6 +706,8 @@ int parse_upstream_params(UpstreamParams &out, const StringRef &src_params) { return -1; } out.alt_mode = ALTMODE_HEALTHMON; + } else if (util::strieq_l("proxyproto", param)) { + out.proxyproto = true; } else if (!param.empty()) { LOG(ERROR) << "frontend: " << param << ": unknown keyword"; return -1; @@ -2091,6 +2094,7 @@ int parse_config(Config *config, int optid, const StringRef &opt, addr.fd = -1; addr.tls = params.tls; addr.alt_mode = params.alt_mode; + addr.accept_proxy_protocol = params.proxyproto; if (addr.alt_mode == ALTMODE_API) { apiconf.enabled = true; @@ -2883,6 +2887,8 @@ int parse_config(Config *config, int optid, const StringRef &opt, #endif // !HAVE_MRUBY return 0; case SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL: + LOG(WARN) << opt << ": deprecated. Use proxyproto keyword in " + << SHRPX_OPT_FRONTEND << " instead."; config->conn.upstream.accept_proxy_protocol = util::strieq_l("yes", optarg); return 0; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 272e7e40..594c2342 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -382,6 +382,8 @@ struct UpstreamAddr { bool host_unix; // true if TLS is enabled. bool tls; + // true if client is supposed to send PROXY protocol v1 header. + bool accept_proxy_protocol; int fd; }; @@ -775,6 +777,7 @@ struct ConnectionConfig { RateLimitConfig write; } ratelimit; size_t worker_connections; + // Deprecated. See UpstreamAddr.accept_proxy_protocol. bool accept_proxy_protocol; } upstream;