PROXY protocol

Roger Nesbitt roger at seriousorange.com
Mon Dec 3 09:35:58 CET 2012


Hello,

I've got a big chunk of time free and would like to scratch my own itch by implementing the PROXY protocol, as defined at this URL:
http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

My thoughts are to initially implement version 1 of the protocol as part of the HTTP server component.  This will allow SSL frontends such as stunnel to pass through client IP information, a feature that seems to be often requested.

I'm completely new to the Varnish source; after having a little look today I assume that a VMOD will not be possible due to the integration required into the HTTP parser.

On first looks, I'm thinking of a detection hook in http1_detect(), although I'd have to figure out some way to indicate that it's the first http request handled on a new connection.  If a PROXY line is detected, the code would put the source/destination IP addresses and ports into new variables (maybe something like proxy.source_ip, proxy.dest_ip, proxy.source_port, proxy.dest_port) and leave it up to the user to build an X-Forwarded-For header in VCL should they wish (after checking that client.ip is trusted.)

Detecting the PROXY line should just be a single memcmp; I'm not sure whether the community would want this feature to be able to be manually enabled and disabled.

Is anyone else currently working on this?  Does this idea and general strategy seem sound?

Thanks for your help and suggestions.
Roger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20121203/65fe534d/attachment.html>


More information about the varnish-dev mailing list