1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer

Browse Source 
As reported in issue #2882, using "no-send-proxy-v2" on a server line does
not properly disable the use of proxy-protocol if it was enabled in a
default-server directive in combination with other PP options. The reason
for this is that the sending of a proxy header is determined by a test on
srv->pp_opts without any distinction, so disabling PPv2 while leaving other
options results in a PPv1 header to be sent.

Let's fix this by explicitly testing for the presence of either send-proxy
or send-proxy-v2 when deciding to send a proxy header.

This can be backported to all versions. Thanks to Andre Sencioles (@asenci)
for reporting the issue and testing the fix.
This commit is contained in:
Willy Tarreau 2025-03-03 03:58:46 +01:00
parent d0f97040a3
commit 730641f7ca
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/server-t.h
View File

@ -175,6 +175,7 @@ enum srv_init_state {
/* configured server options for send-proxy (server->pp_opts) */
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
#define SRV_PP_V2 0x0002 /* proxy protocol version 2 */
#define SRV_PP_ENABLED 0x0003 /* proxy protocol version 1 or version 2 */
#define SRV_PP_V2_SSL 0x0004 /* proxy protocol version 2 with SSL */
#define SRV_PP_V2_SSL_CN 0x0008 /* proxy protocol version 2 with CN */
#define SRV_PP_V2_SSL_KEY_ALG 0x0010 /* proxy protocol version 2 with cert key algorithm */

4
src/backend.c
View File

@ -1598,7 +1598,7 @@ int connect_server(struct stream *s)
hash_params.src_addr = bind_addr;
/* 5. proxy protocol */
if (srv && srv->pp_opts) {
if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
proxy_line_ret = make_proxy_line(trash.area, trash.size, srv, cli_conn, s, strm_sess(s));
if (proxy_line_ret) {
hash_params.proxy_prehash =
@ -1932,7 +1932,7 @@ skip_reuse:
/* process the case where the server requires the PROXY protocol to be sent */
srv_conn->send_proxy_ofs = 0;
if (srv && srv->pp_opts) {
if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
srv_conn->flags |= CO_FL_SEND_PROXY;
srv_conn->send_proxy_ofs = 1; /* must compute size */
}

2
src/proto_rhttp.c
View File

@ -84,7 +84,7 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr
set_host_port(conn->dst, srv->svc_port);
conn->send_proxy_ofs = 0;
if (srv->pp_opts) {
if (srv->pp_opts & SRV_PP_ENABLED) {
conn->flags |= CO_FL_SEND_PROXY;
conn->send_proxy_ofs = 1; /* must compute size */
}