Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

Fri, 02 Feb 2018 11:47:45 -0800 

Hi Manu.

Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:

Hi Aleks
Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a écrit : 

Hi.

------ Originalnachricht ------
Von: "Emmanuel Hocdet" <m...@gandi.net>
An: "haproxy" <haproxy@formilux.org>
Gesendet: 01.02.2018 17:54:46
Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2


Hi,

It’s patch introduce proxy-v2-options for send-proxy-v2.
Goal is to add more options from  doc/proxy-protocol.txt, especially
all TLS informations related to security.
Can then this function replace the current one `send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl` 

yes and no,  you must add send-proxy-v2 to activate proxy-v2
Let's say when the option is 'ssl-cn' then add all three flags as in the current `srv_parse_send_proxy_cn` function? 

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
We offer with this suggested solution a backward compatibility and the new function is in use. 



you must used  "send-proxy-v2 proxy-v2-options ssl »     for current
send-proxy-v2-ssl
you must used  "send-proxy-v2 proxy-v2-options cert-cn »   for current
send-proxy-v2-ssl-cn

next options should be  authority,cert-key,cert-sig,ssl-cipher
Maybe in the next step there could be a 'tlv' option which can decode custom tlv's ? 
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606

Just some brainstorming ;-)

What do you mean?



Haproxy is naturally a producer for ‘tlv’ options (for sure when
related to ssl). I don’t know how ‘tlv’ options (other than netns)
could be really useful to consume,  passthru coud be more useful.


How about this example.

https://www.mail-archive.com/haproxy@formilux.org/msg28647.html
How to parse custom PROXY protocol v2 header for custom routing in HAProxy configuration?
This case describes a case for AWS own header in PP2 PP2_SUBTYPE_AWS_VPCE_ID I know it's not easy but maybe worth to discuss how to use the free fields in PP2 for some acls 


++
Manu


Regards
Aleks

Reply via email to