Hello,
Le mer. 6 mai 2020 à 15:30, Tim Düsterhus <[email protected]> a écrit :
> Olivier,
>
> > I was not aware there were any change in the way HAProxy was doing its
> > checks over proxy-protocol in 2.0.14 ... any hint ?
>
> This sounds like this issue we've seen with Dovecot:
> https://www.mail-archive.com/[email protected]/msg36890.html
>
> Try applying this commit:
>
> https://github.com/haproxy/haproxy/commit/02c88036a61e09d0676a2b6b4086af677b023b94
So this patch is not working for me, with or without patching Apache2 with
https://bz.apache.org/bugzilla/show_bug.cgi?id=63893
But "good news" : reverting 7f26391bc51 did the trick.
To make sure we are talking about the same things, I've attached both
commits as patch files.
- applying 7f26391bc.patch did not fix the issue
- reverting 02c88036a.patch fixed the issue
How safe is it to use 02c88036a reverted in production ?
Olivier
--- src/connection.c
+++ src/connection.c
@@ -1247,6 +1247,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct
server *srv, struct connec
/* At least one of src or dst is not of AF_INET or AF_INET6 */
if ( !src
|| !dst
+ || conn_is_back(remote)
|| (src->ss_family != AF_INET && src->ss_family != AF_INET6)
|| (dst->ss_family != AF_INET && dst->ss_family != AF_INET6)) {
if (buf_len < PP2_HDR_LEN_UNSPEC)
@@ -1256,14 +1257,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct
server *srv, struct connec
ret = PP2_HDR_LEN_UNSPEC;
}
else {
- /* Note: due to historic compatibility with V1 which required
- * to send "PROXY" with local addresses for local connections,
- * we can end up here with the remote in fact being our outgoing
- * connection. We still want to send real addresses and LOCAL on
- * it.
- */
- hdr->ver_cmd = PP2_VERSION;
- hdr->ver_cmd |= conn_is_back(remote) ? PP2_CMD_LOCAL :
PP2_CMD_PROXY;
+ hdr->ver_cmd = PP2_VERSION | PP2_CMD_PROXY;
/* IPv4 for both src and dst */
if (src->ss_family == AF_INET && dst->ss_family == AF_INET) {
if (buf_len < PP2_HDR_LEN_INET)
--- src/connection.c
+++ src/connection.c
@@ -1318,11 +1318,18 @@ int make_proxy_line_v2(char *buf, int buf_len, struct
server *srv, struct connec
ret = PP2_HDR_LEN_UNSPEC;
}
else {
+ /* Note: due to historic compatibility with V1 which required
+ * to send "PROXY" with local addresses for local connections,
+ * we can end up here with the remote in fact being our outgoing
+ * connection. We still want to send real addresses and LOCAL on
+ * it.
+ */
+ hdr->ver_cmd = PP2_VERSION;
+ hdr->ver_cmd |= conn_is_back(remote) ? PP2_CMD_LOCAL :
PP2_CMD_PROXY;
/* IPv4 for both src and dst */
if (src->ss_family == AF_INET && dst->ss_family == AF_INET) {
if (buf_len < PP2_HDR_LEN_INET)
return 0;
- hdr->ver_cmd = PP2_VERSION | PP2_CMD_PROXY;
hdr->fam = PP2_FAM_INET | PP2_TRANS_STREAM;
hdr->addr.ip4.src_addr = ((struct sockaddr_in
*)src)->sin_addr.s_addr;
hdr->addr.ip4.src_port = ((struct sockaddr_in
*)src)->sin_port;
@@ -1336,7 +1343,6 @@ int make_proxy_line_v2(char *buf, int buf_len, struct
server *srv, struct connec
if (buf_len < PP2_HDR_LEN_INET6)
return 0;
- hdr->ver_cmd = PP2_VERSION | PP2_CMD_PROXY;
hdr->fam = PP2_FAM_INET6 | PP2_TRANS_STREAM;
if (src->ss_family == AF_INET) {
v4tov6(&tmp, &((struct sockaddr_in
*)src)->sin_addr);
