More on the HAProxy proxy protocol

Poul-Henning Kamp phk at phk.freebsd.dk
Mon Nov 11 20:19:08 CET 2013 

In message <20131111153413.GA27258 at immer.varnish-software.com>, Lasse Karstense
n writes:

>1. Extend the -a startup argument with a protocol definition:

We may be facing the same kind of issue with HTTP/2.0 but my best
idea so far was:

	-a :80+http1+http2

>    varnishd -a proxy at 192.0.2.10:80 -f /etc/varnish/foo.vcl
>    varnishd -a proxy2 at 192.0.2.10:80 -f /etc/varnish/foo.vcl

<rant>
I wish people would learn to name things sensibly.  Calling a protocol
"proxy" is a recipe for confusion
</rant>

>Per the specification any connection not sending a proxy header to such a
>socket should be a hard error.

Yes, I noticed that too, and that sort of made me lean towards allocating
a specific command line argument (-p ?)

>It might be necessary to filter what clients are allowed to connect to this
>socket [...]

I don't think that is really our job, but see below.

>2. VCL interface
>
>In VCL we now have client.ip, server.ip and server.port available. These
>are now (as I understand it) picked directly from the socket endpoints.

I've been thinking about something like this:

	remote.ip	// [IP Other end of TCP connection
	remote.port	// [INT Our sockets peer-address

	local.ip	// [IP own end of the TCP connection
	local.port	// [INT sockets local address


	client.ip	// [IP] Which IP$ client to connected to our end from.
			// if proto == PROXY
			//	set from PROXY.hdr
			// else
			//	set from remote.ip

	server.ip	// [IP] Which IP# client connected to in our end.
	server.port	// [INT]
			// if proto == PROXY
			//	set from PROXY.hdr
			// else
			//	set from our.*

	client.identity	// Best case ultimate client identity
			// if X-F-F:
			//	set from X-F-F
			// else
			//	set from client.ip

I'm somewhat tempted to make client.identity a STRING, rather than
an IP, to make it clear to people that running it through an ACL
is a bad idea.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the varnish-dev mailing list