VMOD proxy - Varnish Module to extract TLV attributes from PROXYv2

SYNOPSIS

import proxy [as name] [from "path"]

STRING alpn()

STRING authority()

BOOL is_ssl()

BOOL client_has_cert_sess()

BOOL client_has_cert_conn()

INT ssl_verify_result()

STRING ssl_version()

STRING client_cert_cn()

STRING ssl_cipher()

STRING cert_sign()

STRING cert_key()

DESCRIPTION

vmod_proxy contains functions to extract proxy-protocol-v2 TLV attributes as described in https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt.

STRING alpn()

Extract ALPN attribute.

Example:

set req.http.alpn = proxy.alpn();

STRING authority()

Extract authority attribute. This corresponds to SNI from a TLS connection.

Example:

set req.http.authority = proxy.authority();

BOOL is_ssl()

Report if proxy-protocol-v2 has SSL TLV.

Example:

if (proxy.is_ssl()) {
        set req.http.ssl-version = proxy.ssl_version();
}

BOOL client_has_cert_sess()

Report if the client provided a certificate at least once over the TLS session this connection belongs to.

BOOL client_has_cert_conn()

Report if the client provided a certificate over the current connection.

INT ssl_verify_result()

Report the SSL_get_verify_result from a TLS session. It only matters if client_has_cert_sess() is true. Per default, value is set to 0 (X509_V_OK).

Example:

if (proxy.client_has_cert_sess() && proxy.ssl_verify_result() == 0) {
        set req.http.ssl-verify = "ok";
}

STRING ssl_version()

Extract SSL version attribute.

Example:

set req.http.ssl-version = proxy.ssl_version();

STRING client_cert_cn()

Extract the common name attribute of the client certificate’s.

Example::

set req.http.cert-cn = proxy.client_cert_cn();

STRING ssl_cipher()

Extract the SSL cipher attribute.

Example:

set req.http.ssl-cipher = proxy.ssl_cipher();

STRING cert_sign()

Extract the certificate signature algorithm attribute.

Example:

set req.http.cert-sign = proxy.cert_sign();

STRING cert_key()

Extract the certificate key algorithm attribute.

Example:

set req.http.cert-key = proxy.cert_key();

SEE ALSO