From b313386988c56870cbdd86b2cc31cd9448c18290 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Tue, 3 Jan 2017 12:47:03 +0900 Subject: [PATCH] nghttpx: Add proxyproto to frontend option to accept PROXY protocol Previously, global accept-proxy-protocol option enables PROXY protocol support for all frontend listeners, but this was inflexible. To fix this issue, accept-proxy-protocol option is now deprecated, and instead proxyproto parameter in frontend option enables PROXY protocol support per frontend. --- src/shrpx.cc | 6 ++++-- src/shrpx_client_handler.cc | 3 ++- src/shrpx_config.cc | 6 ++++++ src/shrpx_config.h | 3 +++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index cddbeb51..a3b9bab7 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1694,6 +1694,10 @@ Connections: default. Any requests which come through this address are replied with 200 HTTP status, without no body. + To accept PROXY protocol version 1 on frontend + connection, specify "proxyproto" parameter. This is + disabled by default. + Default: *,3000 --backlog= Set listen backlog size. @@ -1718,8 +1722,6 @@ Connections: timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options. - --accept-proxy-protocol - Accept PROXY protocol version 1 on frontend connection. Performance: -n, --workers= diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc index 33b53c1b..1280d452 100644 --- a/src/shrpx_client_handler.cc +++ b/src/shrpx_client_handler.cc @@ -413,7 +413,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl, auto config = get_config(); - if (config->conn.upstream.accept_proxy_protocol) { + if (faddr_->accept_proxy_protocol || + config->conn.upstream.accept_proxy_protocol) { read_ = &ClientHandler::read_clear; write_ = &ClientHandler::noop; on_read_ = &ClientHandler::proxy_protocol_read; diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 56aeaf5f..eb786e84 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -677,6 +677,7 @@ int parse_memcached_connection_params(MemcachedConnectionParams &out, struct UpstreamParams { int alt_mode; bool tls; + bool proxyproto; }; namespace { @@ -705,6 +706,8 @@ int parse_upstream_params(UpstreamParams &out, const StringRef &src_params) { return -1; } out.alt_mode = ALTMODE_HEALTHMON; + } else if (util::strieq_l("proxyproto", param)) { + out.proxyproto = true; } else if (!param.empty()) { LOG(ERROR) << "frontend: " << param << ": unknown keyword"; return -1; @@ -2091,6 +2094,7 @@ int parse_config(Config *config, int optid, const StringRef &opt, addr.fd = -1; addr.tls = params.tls; addr.alt_mode = params.alt_mode; + addr.accept_proxy_protocol = params.proxyproto; if (addr.alt_mode == ALTMODE_API) { apiconf.enabled = true; @@ -2883,6 +2887,8 @@ int parse_config(Config *config, int optid, const StringRef &opt, #endif // !HAVE_MRUBY return 0; case SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL: + LOG(WARN) << opt << ": deprecated. Use proxyproto keyword in " + << SHRPX_OPT_FRONTEND << " instead."; config->conn.upstream.accept_proxy_protocol = util::strieq_l("yes", optarg); return 0; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 272e7e40..594c2342 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -382,6 +382,8 @@ struct UpstreamAddr { bool host_unix; // true if TLS is enabled. bool tls; + // true if client is supposed to send PROXY protocol v1 header. + bool accept_proxy_protocol; int fd; }; @@ -775,6 +777,7 @@ struct ConnectionConfig { RateLimitConfig write; } ratelimit; size_t worker_connections; + // Deprecated. See UpstreamAddr.accept_proxy_protocol. bool accept_proxy_protocol; } upstream;