nghttpx: Add proxyproto to frontend option to accept PROXY protocol

Previously, global accept-proxy-protocol option enables PROXY protocol
support for all frontend listeners, but this was inflexible.  To fix
this issue, accept-proxy-protocol option is now deprecated, and
instead proxyproto parameter in frontend option enables PROXY protocol
support per frontend.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-01-03 12:47:03 +09:00
parent 3933280d29
commit b313386988
4 changed files with 15 additions and 3 deletions

View File

@ -1694,6 +1694,10 @@ Connections:
default. Any requests which come through this address default. Any requests which come through this address
are replied with 200 HTTP status, without no body. are replied with 200 HTTP status, without no body.
To accept PROXY protocol version 1 on frontend
connection, specify "proxyproto" parameter. This is
disabled by default.
Default: *,3000 Default: *,3000
--backlog=<N> --backlog=<N>
Set listen backlog size. Set listen backlog size.
@ -1718,8 +1722,6 @@ Connections:
timeouts when connecting and making CONNECT request can timeouts when connecting and making CONNECT request can
be specified by --backend-read-timeout and be specified by --backend-read-timeout and
--backend-write-timeout options. --backend-write-timeout options.
--accept-proxy-protocol
Accept PROXY protocol version 1 on frontend connection.
Performance: Performance:
-n, --workers=<N> -n, --workers=<N>

View File

@ -413,7 +413,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl,
auto config = get_config(); auto config = get_config();
if (config->conn.upstream.accept_proxy_protocol) { if (faddr_->accept_proxy_protocol ||
config->conn.upstream.accept_proxy_protocol) {
read_ = &ClientHandler::read_clear; read_ = &ClientHandler::read_clear;
write_ = &ClientHandler::noop; write_ = &ClientHandler::noop;
on_read_ = &ClientHandler::proxy_protocol_read; on_read_ = &ClientHandler::proxy_protocol_read;

View File

@ -677,6 +677,7 @@ int parse_memcached_connection_params(MemcachedConnectionParams &out,
struct UpstreamParams { struct UpstreamParams {
int alt_mode; int alt_mode;
bool tls; bool tls;
bool proxyproto;
}; };
namespace { namespace {
@ -705,6 +706,8 @@ int parse_upstream_params(UpstreamParams &out, const StringRef &src_params) {
return -1; return -1;
} }
out.alt_mode = ALTMODE_HEALTHMON; out.alt_mode = ALTMODE_HEALTHMON;
} else if (util::strieq_l("proxyproto", param)) {
out.proxyproto = true;
} else if (!param.empty()) { } else if (!param.empty()) {
LOG(ERROR) << "frontend: " << param << ": unknown keyword"; LOG(ERROR) << "frontend: " << param << ": unknown keyword";
return -1; return -1;
@ -2091,6 +2094,7 @@ int parse_config(Config *config, int optid, const StringRef &opt,
addr.fd = -1; addr.fd = -1;
addr.tls = params.tls; addr.tls = params.tls;
addr.alt_mode = params.alt_mode; addr.alt_mode = params.alt_mode;
addr.accept_proxy_protocol = params.proxyproto;
if (addr.alt_mode == ALTMODE_API) { if (addr.alt_mode == ALTMODE_API) {
apiconf.enabled = true; apiconf.enabled = true;
@ -2883,6 +2887,8 @@ int parse_config(Config *config, int optid, const StringRef &opt,
#endif // !HAVE_MRUBY #endif // !HAVE_MRUBY
return 0; return 0;
case SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL: case SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL:
LOG(WARN) << opt << ": deprecated. Use proxyproto keyword in "
<< SHRPX_OPT_FRONTEND << " instead.";
config->conn.upstream.accept_proxy_protocol = util::strieq_l("yes", optarg); config->conn.upstream.accept_proxy_protocol = util::strieq_l("yes", optarg);
return 0; return 0;

View File

@ -382,6 +382,8 @@ struct UpstreamAddr {
bool host_unix; bool host_unix;
// true if TLS is enabled. // true if TLS is enabled.
bool tls; bool tls;
// true if client is supposed to send PROXY protocol v1 header.
bool accept_proxy_protocol;
int fd; int fd;
}; };
@ -775,6 +777,7 @@ struct ConnectionConfig {
RateLimitConfig write; RateLimitConfig write;
} ratelimit; } ratelimit;
size_t worker_connections; size_t worker_connections;
// Deprecated. See UpstreamAddr.accept_proxy_protocol.
bool accept_proxy_protocol; bool accept_proxy_protocol;
} upstream; } upstream;