Re[2]: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

[Aleksandar Lazic]

Hi Manu.

------ Originalnachricht ------
Von: "Emmanuel Hocdet" <m...@gandi.net>
An: "Aleksandar Lazic" <al-hapr...@none.at>
Cc: "haproxy" <haproxy@formilux.org>
Gesendet: 05.02.2018 14:58:20
Betreff: Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

Hi Aleks,

Le 2 févr. 2018 à 20:46, Aleksandar Lazic <al-hapr...@none.at> a écrit :

Hi Manu.

Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:

Hi Aleks

Le 1 févr. 2018 à 23:34, Aleksandar Lazic <al-hapr...@none.at> a écrit :

Hi.
------ Originalnachricht ------
Von: "Emmanuel Hocdet" <m...@gandi.net>
An: "haproxy" <haproxy@formilux.org>
Gesendet: 01.02.2018 17:54:46
Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

Hi,
It’s patch introduce proxy-v2-options for send-proxy-v2.

Goal is to add more options from doc/proxy-protocol.txt, especially

all TLS informations related to security.

Can then this function replace the current one `send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl`

yes and no,  you must add send-proxy-v2 to activate proxy-v2

Let's say when the option is 'ssl-cn' then add all three flags as in the current `srv_parse_send_proxy_cn` function?

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796

We offer with this suggested solution a backward compatibility and the new function is in use.

you must used  "send-proxy-v2 proxy-v2-options ssl »     for current
send-proxy-v2-ssl

you must used "send-proxy-v2 proxy-v2-options cert-cn » for current

send-proxy-v2-ssl-cn
next options should be  authority,cert-key,cert-sig,ssl-cipher

Maybe in the next step there could be a 'tlv' option which can decode custom tlv's ?

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
Just some brainstorming ;-)
What do you mean?

Haproxy is naturally a producer for ‘tlv’ options (for sure when
related to ssl). I don’t know how ‘tlv’ options (other than netns)
could be really useful to consume,  passthru coud be more useful.

How about this example.

https://www.mail-archive.com/haproxy@formilux.org/msg28647.html

How to parse custom PROXY protocol v2 header for custom routing in HAProxy configuration?

This case describes a case for AWS own header in PP2 PP2_SUBTYPE_AWS_VPCE_ID I know it's not easy but maybe worth to discuss how to use the free fields in PP2 for some acls

Consume and produce pp-v2 tlv are two different things.

For tlv consume, i work with Varnish and the problem is the same: where to store them and how to use them. I do not know of a generic solution, specially in the case of custom tlv.

Thanks for explanation.
I also have no idea for now.

++
Manu

Best regards
aleks