PROXY protocol - patches

Dag Haavi Finstad daghf at varnish-software.com
Fri Jan 30 18:11:24 CET 2015


Hi

Here's a set of patches for PROXY support in Varnish master, as
discussed at the meeting in Barcelona last November
(https://www.varnish-cache.org/trac/wiki/VDD14Q4#Notestakenduringthemeeting).

0001-Introduce-local.ip-and-remote.ip.patch
0002-Make-client.ip-settable-from-VCL.patch

These patches introduce new VCL vars local.ip and remote.ip, and makes
client.ip writable from VCL. local.ip and remote.ip are immutable and
will always represent the endpoints of the local socket.

VCL will then have four different IP vars (client.ip, server.ip,
remote.ip, local.ip). By default (no PROXY proto), client.ip and
server.ip will be set to the values of remote.ip and client.ip
respectively. With PROXY protocol, they will get their values set from
the PROXY header.

0003-Add-support-for-specifying-protocol-to-the-listen-so.patch:
This adds an optional protocol specifier to the -a command line
argument, to let us specify e.g. "-a proxy at 192.168.1.1:8081" to enable
PROXY protocol for that listen endpoint.

0004-Set-blocking-mode-prior-to-entering-HTTP-1-FSM.patch:
PROXY code needed blocking mode, so this had to be reorganized slightly.

0005-Preliminary-PROXY-v1-v2-support.patch:
This is the big one that adds handling and parsing of PROXY v1 and v2.
Adds a new fsm step S_STP_PROXY where we end up when a sess comes in
from the acceptor on a PROXY protocol listen endpoint.

If the sender does not satisfy the exact specifications of the PROXY
protocol, we close the connection. With a valid PROXY header, the
addresses will be available in client.ip and server.ip in VCL.

0006-Update-graphviz-doc-to-reflect-new-S_STP_PROXY-step.patch:
And finally update the dotty diagrams to reflect how the state machine
looks with PROXY protocol support.

Further work:
- Byte counters for PROXY protocol bytes. Is req_hdrbytes an
acceptable place to stick it?
- Put an example like this somewhere in the docs, to help users be
safe from a spoofing attack:

acl trusted_remotes {
  // ...
}

sub vcl_recv {
  if (remote.ip !~ trusted_remotes) {
    return (synth(403, "Forbidden"));
  }
}


Comments very much appreciated.

-Dag

-- 
Dag Haavi Finstad
Software Developer | Varnish Software
Mobile: +47 476 64 134
We Make Websites Fly!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Introduce-local.ip-and-remote.ip.patch
Type: text/x-patch
Size: 9853 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Make-client.ip-settable-from-VCL.patch
Type: text/x-patch
Size: 5881 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Add-support-for-specifying-protocol-to-the-listen-so.patch
Type: text/x-patch
Size: 8092 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Set-blocking-mode-prior-to-entering-HTTP-1-FSM.patch
Type: text/x-patch
Size: 2607 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Preliminary-PROXY-v1-v2-support.patch
Type: text/x-patch
Size: 23398 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-Update-graphviz-doc-to-reflect-new-S_STP_PROXY-step.patch
Type: text/x-patch
Size: 1295 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150130/bb14fc29/attachment-0011.bin>


More information about the varnish-dev mailing list