bneradt opened a new pull request, #13125: URL: https://github.com/apache/trafficserver/pull/13125
Flexible Proxy Protocol ports currently use proxy.config.http.proxy_protocol_allowlist as a source-IP gate for every connection, even when traffic never presents a Proxy Protocol header. Mixed PP and non-PP deployments can then reject ordinary HTTP or TLS clients unexpectedly. This changes the allowlist check to run only after a v1 or v2 Proxy Protocol preface is detected, while still applying the gate before parsing or consuming the header. This keeps PP-looking spoof attempts behind the trusted-peer check, leaves non-PP bytes untouched for normal probing or TLS handshakes, and documents the new behavior with focused AuTest coverage. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
