[Wireshark-bugs] [Bug 15714] New: Support for the PROXY (v1) protocol (HAPROXY) over TCP

Fri, 19 Apr 2019 16:47:44 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15714

            Bug ID: 15714
           Summary: Support for the PROXY (v1) protocol (HAPROXY) over TCP
           Product: Wireshark
           Version: Git
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: Enhancement
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
                CC: alexis.lagou...@gmail.com
  Target Milestone: ---

Build Information:
v3.1.0rc0-568-g0974b68f5c

--
Bug 14506 added support for the binary PROXY (v2) protocol as defined by
HAPROXY. The referenced document from 1.8 is still current as of 2.0:
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

HAPROXY itself is a TCP service, so even though the specification mentions UDP
as transport, consider it out-of-scope for now. Not sure how that is supposed
to work since UDP is connectionless, ordering is not guaranteed. (But that
seems irrelevant anyway for v1 which only supports TCP.)

Address families for v1:
- "TCP4" - TCP over IPv4
- "TCP6" - TCP over IPv6
- "UNKNOWN" - sender can omit following data, receiver must ignore the
remainder
   of the line. So effectively it can contain garbage that is not checked by
the
   receiver? The spec does include an example with IPv6 addresses though.

To generate test captures, some available implementations include:
- nginx: supports TCP4/TCP6 only (both as client/server).
  https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
  https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
- stunnel - supports TCP4/TCP6 as client only. In theory also UNIX domain
  sockets, but "getnameinfo: Unknown error" is printed before it sends data.

Now TCP is a stream-oriented protocol. Possible cases:
- PROXY header is split. Do not support this.
- PROXY header fits exactly. Dissect and done.
- PROXY header is followed by data. Dissect and call next dissector?

The line can be at most 107 (including CRLF) according to the spec.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to