Re: Proxy Protocol in 1.4.x ?

Sat, 09 Jul 2011 21:42:16 -0700 

On Friday 08 of July 2011 23:17:12 Sébastien Estienne wrote:
> http://devblog.bu.mp/introducing-stud ). Today we have the choice between:
> - haproxy 1.4 + patched stunnel
> - haproxy 1.5 dev + stud
> - patched haproxy 1.4 + stud

There is also fourth option:

- patched haproxy 1.4.x + patched stunnel (accept-proxy patch)

I'm using attached patch (found it on internet) with stunnel 4.34.

Best regards, Brane

diff -ru stunnel-4.34/src/client.c stunnel-4.34-exceliance-aloha-sendproxy/src/client.c
--- stunnel-4.34/src/client.c	2010-09-14 17:03:43.000000000 +0200
+++ stunnel-4.34-exceliance-aloha-sendproxy/src/client.c	2010-12-07 22:46:32.421248698 +0100
@@ -86,6 +86,8 @@
     c->opt=opt;
     c->local_rfd.fd=rfd;
     c->local_wfd.fd=wfd;
+    if (c->opt->option.sendproxy)
+        c->sendproxy = 1;
     return c;
 }
 
@@ -564,6 +566,73 @@
             }
         }
 
+	if (c->sendproxy && !c->ssl_ptr) {
+		int cfd;
+		struct sockaddr_storage local_addr;
+		struct sockaddr_storage peer_addr;
+		u_char family = AF_UNSPEC;
+
+		cfd = SSL_get_fd(c->ssl);
+		if (cfd != -1) {
+			size_t namelen;
+
+			namelen = sizeof(local_addr);
+			if (!getsockname(cfd, (struct sockaddr *)&local_addr, &namelen)) {
+				namelen = sizeof(peer_addr);
+				if (!getpeername(cfd, (struct sockaddr *)&peer_addr, &namelen))
+					family = peer_addr.ss_family;
+			}
+		}
+
+		if (family == AF_INET) {
+
+			if (BUFFSIZE >= 11) {
+				memcpy(c->ssl_buff, "PROXY TCP4 ", 11);
+				c->ssl_ptr += 11;
+			}
+
+			if (inet_ntop(peer_addr.ss_family, &((struct sockaddr_in*)&peer_addr)->sin_addr, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr)) {
+				c->ssl_ptr += strlen(c->ssl_buff+c->ssl_ptr);
+			}
+			if (c->ssl_ptr != BUFFSIZE) {
+				c->ssl_buff[c->ssl_ptr] = ' ';
+				c->ssl_ptr++;
+			}
+			if (inet_ntop(local_addr.ss_family, &((struct sockaddr_in*)&local_addr)->sin_addr, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr)) {
+				c->ssl_ptr += strlen(c->ssl_buff+c->ssl_ptr);
+			}
+			c->ssl_ptr += snprintf(c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr, " %u %u\r\n", ntohs(((struct sockaddr_in*)&peer_addr)->sin_port), ntohs(((struct sockaddr_in*)&local_addr)->sin_port));
+		}
+#if defined(USE_IPv6) && !defined(USE_WIN32)			
+		else if (family == AF_INET6) {
+
+			if (BUFFSIZE >= 11) {
+                                memcpy(c->ssl_buff, "PROXY TCP6 ", 11);
+                                c->ssl_ptr += 11;
+                        }
+
+                        if (inet_ntop(peer_addr.ss_family, &((struct sockaddr_in6*)&peer_addr)->sin6_addr, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr)) {
+                                c->ssl_ptr += strlen(c->ssl_buff+c->ssl_ptr);
+                        }
+                        if (c->ssl_ptr != BUFFSIZE) {
+                                c->ssl_buff[c->ssl_ptr] = ' ';
+                                c->ssl_ptr++;
+                        }
+                        if (inet_ntop(local_addr.ss_family, &((struct sockaddr_in6*)&local_addr)->sin6_addr, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr)) {
+                                c->ssl_ptr += strlen(c->ssl_buff+c->ssl_ptr);
+                        }
+                        c->ssl_ptr += snprintf(c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr, " %u %u\r\n", ntohs(((struct sockaddr_in6*)&peer_addr)->sin6_port), ntohs(((struct sockaddr_in6*)&local_addr)->sin6_port));
+		}
+#endif
+		else {
+			if (BUFFSIZE >= 15) {
+                                memcpy(c->ssl_buff, "PROXY UNKNOWN\r\n ", 15);
+                                c->ssl_ptr += 15;
+                        }
+		}
+		c->sendproxy = 0;
+	}
+
         /****************************** update *_wants_* based on new *_ptr */
         /* this update is also required for SSL_pending() to be used */
         read_wants_read=
diff -ru stunnel-4.34/src/options.c stunnel-4.34-exceliance-aloha-sendproxy/src/options.c
--- stunnel-4.34/src/options.c	2010-09-14 17:09:36.000000000 +0200
+++ stunnel-4.34-exceliance-aloha-sendproxy/src/options.c	2010-12-07 22:46:26.613204761 +0100
@@ -818,6 +818,29 @@
     }
 #endif
 
+    /* sendproxy */
+    switch(cmd) {
+    case CMD_INIT:
+        section->option.sendproxy=0;
+        break;
+    case CMD_EXEC:
+        if(strcasecmp(opt, "sendproxy"))
+            break;
+        if(!strcasecmp(arg, "yes"))
+            section->option.sendproxy=1;
+        else if(!strcasecmp(arg, "no"))
+            section->option.sendproxy=0;
+        else
+            return "argument should be either 'yes' or 'no'";
+        return NULL; /* OK */
+    case CMD_DEFAULT:
+        break;
+    case CMD_HELP:
+        s_log(LOG_NOTICE, "%-15s = yes|no append proxy prefix",
+            "sendproxy");
+        break;
+    }
+
     /* exec */
     switch(cmd) {
     case CMD_INIT:
diff -ru stunnel-4.34/src/prototypes.h stunnel-4.34-exceliance-aloha-sendproxy/src/prototypes.h
--- stunnel-4.34/src/prototypes.h	2010-09-14 17:09:50.000000000 +0200
+++ stunnel-4.34-exceliance-aloha-sendproxy/src/prototypes.h	2010-12-07 22:47:39.633763055 +0100
@@ -176,6 +176,7 @@
         unsigned int retry:1; /* loop remote+program */
         unsigned int sessiond:1;
         unsigned int program:1;
+        unsigned int sendproxy:1;
 #ifndef USE_WIN32
         unsigned int pty:1;
         unsigned int transparent:1;
@@ -341,6 +342,7 @@
 
     char sock_buff[BUFFSIZE]; /* socket read buffer */
     char ssl_buff[BUFFSIZE]; /* SSL read buffer */
+    int sendproxy;
     int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
     FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
     FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */

Reply via email to