[trafficserver] branch master updated: SSL Cert lookup using PP dest ip when ProxyProtocol is enabled (#7802)

Tue, 11 May 2021 21:31:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 31a580d  SSL Cert lookup using PP dest ip when ProxyProtocol is 
enabled (#7802)
31a580d is described below

commit 31a580d0d89b2c141655ea167e4ad1b6b4e4973c
Author: Sudheer Vinukonda <sudhe...@apache.org>
AuthorDate: Tue May 11 21:30:55 2021 -0700

    SSL Cert lookup using PP dest ip when ProxyProtocol is enabled (#7802)
---
 iocore/net/SSLNetVConnection.cc |  7 +++++++
 iocore/net/SSLUtils.cc          | 20 +++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 18d0637..b6be2c6 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -446,6 +446,13 @@ SSLNetVConnection::read_raw_data()
     if (this->has_proxy_protocol(buffer, &r)) {
       Debug("proxyprotocol", "ssl has proxy protocol header");
       set_remote_addr(get_proxy_protocol_src_addr());
+      if (is_debug_tag_set("proxyprotocol")) {
+        IpEndpoint dst;
+        dst.sa = *(this->get_proxy_protocol_dst_addr());
+        ip_port_text_buffer ipb1;
+        ats_ip_nptop(&dst, ipb1, sizeof(ipb1));
+        Debug("proxyprotocol", "ssl_has_proxy_v1, dest IP received [%s]", 
ipb1);
+      }
     } else {
       Debug("proxyprotocol", "proxy protocol was enabled, but required header 
was not present in the "
                              "transaction - closing connection");
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 1d57f0b..508d11f 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -38,6 +38,7 @@
 #include "P_OCSPStapling.h"
 #include "P_SSLSNI.h"
 #include "P_SSLConfig.h"
+#include "ProxyProtocol.h"
 #include "SSLSessionCache.h"
 #include "SSLSessionTicket.h"
 #include "SSLDynlock.h"
@@ -299,7 +300,24 @@ set_context_cert(SSL *ssl)
     IpEndpoint ip;
     int namelen = sizeof(ip);
 
-    if (0 == safe_getsockname(netvc->get_socket(), &ip.sa, &namelen)) {
+    if (netvc->get_is_proxy_protocol() && netvc->get_proxy_protocol_version() 
!= ProxyProtocolVersion::UNDEFINED) {
+      ip.sa = *(netvc->get_proxy_protocol_dst_addr());
+      ip_port_text_buffer ipb1;
+      ats_ip_nptop(&ip, ipb1, sizeof(ipb1));
+      cc = lookup->find(ip);
+      if (is_debug_tag_set("proxyprotocol")) {
+        IpEndpoint src;
+        ip_port_text_buffer ipb2;
+        int ip_len = sizeof(src);
+
+        if (0 != safe_getpeername(netvc->get_socket(), &src.sa, &ip_len)) {
+          Debug("proxyprotocol", "Failed to get src ip, errno = [%d]", errno);
+          return EVENT_ERROR;
+        }
+        ats_ip_nptop(&src, ipb2, sizeof(ipb2));
+        Debug("proxyprotocol", "IP context is %p for [%s] -> [%s], default 
context %p", cc, ipb2, ipb1, lookup->defaultContext());
+      }
+    } else if (0 == safe_getsockname(netvc->get_socket(), &ip.sa, &namelen)) {
       cc = lookup->find(ip);
     }
     if (cc) {

Reply via email to