nghttpx: Add proxyproto to frontend option to accept PROXY protocol

Previously, global accept-proxy-protocol option enables PROXY protocol support for all frontend listeners, but this was inflexible. To fix this issue, accept-proxy-protocol option is now deprecated, and instead proxyproto parameter in frontend option enables PROXY protocol support per frontend.
2017-01-03 12:47:03 +09:00 · 2017-01-03 12:47:03 +09:00 · b313386988
parent 3933280d29
commit b313386988
4 changed files with 15 additions and 3 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -1694,6 +1694,10 @@ Connections:
              default.  Any  requests which come through  this address
              are replied with 200 HTTP status, without no body.

+              To  accept   PROXY  protocol   version  1   on  frontend
+              connection,  specify  "proxyproto" parameter.   This  is
+              disabled by default.
+
              Default: *,3000
  --backlog=<N>
              Set listen backlog size.
@ -1718,8 +1722,6 @@ Connections:
              timeouts when connecting and  making CONNECT request can
              be     specified    by     --backend-read-timeout    and
              --backend-write-timeout options.
-  --accept-proxy-protocol
-              Accept PROXY protocol version 1 on frontend connection.

 Performance:
  -n, --workers=<N>
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@ -413,7 +413,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl,

  auto config = get_config();

-  if (config->conn.upstream.accept_proxy_protocol) {
+  if (faddr_->accept_proxy_protocol ||
+      config->conn.upstream.accept_proxy_protocol) {
    read_ = &ClientHandler::read_clear;
    write_ = &ClientHandler::noop;
    on_read_ = &ClientHandler::proxy_protocol_read;
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@ -677,6 +677,7 @@ int parse_memcached_connection_params(MemcachedConnectionParams &out,
 struct UpstreamParams {
  int alt_mode;
  bool tls;
+  bool proxyproto;
 };

 namespace {
@ -705,6 +706,8 @@ int parse_upstream_params(UpstreamParams &out, const StringRef &src_params) {
        return -1;
      }
      out.alt_mode = ALTMODE_HEALTHMON;
+    } else if (util::strieq_l("proxyproto", param)) {
+      out.proxyproto = true;
    } else if (!param.empty()) {
      LOG(ERROR) << "frontend: " << param << ": unknown keyword";
      return -1;
@ -2091,6 +2094,7 @@ int parse_config(Config *config, int optid, const StringRef &opt,
    addr.fd = -1;
    addr.tls = params.tls;
    addr.alt_mode = params.alt_mode;
+    addr.accept_proxy_protocol = params.proxyproto;

    if (addr.alt_mode == ALTMODE_API) {
      apiconf.enabled = true;
@ -2883,6 +2887,8 @@ int parse_config(Config *config, int optid, const StringRef &opt,
 #endif // !HAVE_MRUBY
    return 0;
  case SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL:
+    LOG(WARN) << opt << ": deprecated.  Use proxyproto keyword in "
+              << SHRPX_OPT_FRONTEND << " instead.";
    config->conn.upstream.accept_proxy_protocol = util::strieq_l("yes", optarg);

    return 0;
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@ -382,6 +382,8 @@ struct UpstreamAddr {
  bool host_unix;
  // true if TLS is enabled.
  bool tls;
+  // true if client is supposed to send PROXY protocol v1 header.
+  bool accept_proxy_protocol;
  int fd;
 };

@ -775,6 +777,7 @@ struct ConnectionConfig {
      RateLimitConfig write;
    } ratelimit;
    size_t worker_connections;
+    // Deprecated.  See UpstreamAddr.accept_proxy_protocol.
    bool accept_proxy_protocol;
  } upstream;