Hello Tim,
On Fri, 29 Jun 2018 at 21:00, Tim Duesterhus <[email protected]> wrote: > > This patch changes the sending side of proxy protocol to convert IP > addresses to IPv4 when possible (and converts them IPv6 otherwise). > > Previously the code failed to properly provide information under > certain circumstances: > > 1. haproxy is being accessed using IPv4, http-request set-src sets > a IPv6 address. > 2. haproxy is being accessed using IPv6, http-request set-src sets > a IPv4 address. > 3. haproxy listens on `::` with v4v6 and is accessed using IPv4: > It would send a TCP6 line, instead of a proper TCP4 line, because > the IP addresses are representing as a mapped IPv4 address internally. > > Once correctness of this patch has been verified it should be evaluated > whether it should be backported, as (1) and (2) are bugs. (3) is an > enhancement. Thanks for this, just a comment about nr 3: A backend may rely on v4-mapped addresses for various reason, consider a backend that to simplify its handling of IP addresses only handles IPv6 and expects IPv4 addresses to be mapped. Also consider that to send native v4 addresses the admin only has to make a small adjustment in the bind configuration. So since this would be a breaking change, and that the admin can easily reconfigure the bind line any time, I would advise against this and vote for maintaining the current behavior (where the bind configuration controls this behavior). I assume the X-Forwarded-For header behaves similar in this regard. cheers, lukas
