Add PROXY over TLS support to PROXY Stream

This commit makes it possible to use PROXY Stream not only over TCP, but also over TLS. That is, now PROXY Stream can work in two modes as far as TLS is involved: 1. PROXY over (plain) TCP - PROXYv2 headers are sent unencrypted before TLS handshake messages. That is the main mode as described in the PROXY protocol specification (as it is clearly stated there), and most of the software expects PROXYv2 support to be implemented that way (e.g. HAProxy); 2. PROXY over (encrypted) TLS - PROXYv2 headers are sent after the TLS handshake has happened. For example, this mode is being used (only ?) by "dnsdist". As far as I can see, that is, in fact, a deviation from the spec, but I can certainly see how PROXYv2 could end up being implemented this way elsewhere.
2025-08-31 06:25:31 +00:00 · 2023-10-17 20:36:58 +03:00
parent fee8b0d8d5
commit 3d1b6c48ab
4 changed files with 115 additions and 10 deletions
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -2353,6 +2353,8 @@ isc_nm_has_encryption(const isc_nmhandle_t *handle) {
 #endif /* HAVE_LIBNGHTTP2 */
 	case isc_nm_streamdnssocket:
 		return (isc__nm_streamdns_has_encryption(handle));
+	case isc_nm_proxystreamsocket:
+		return (isc__nm_proxystream_has_encryption(handle));
 	default:
 		return (false);
 	};
@@ -2456,6 +2458,9 @@ isc_nmsocket_set_tlsctx(isc_nmsocket_t *listener, isc_tlsctx_t *tlsctx) {
 	case isc_nm_streamdnslistener:
 		isc__nm_streamdns_set_tlsctx(listener, tlsctx);
 		break;
+	case isc_nm_proxystreamlistener:
+		isc__nm_proxystream_set_tlsctx(listener, tlsctx);
+		break;
 	default:
 		UNREACHABLE();
 		break;
@@ -2697,6 +2702,10 @@ isc__nmhandle_get_selected_alpn(isc_nmhandle_t *handle,
 	case isc_nm_tlssocket:
 		isc__nmhandle_tls_get_selected_alpn(handle, alpn, alpnlen);
 		return;
+	case isc_nm_proxystreamsocket:
+		isc__nmhandle_proxystream_get_selected_alpn(handle, alpn,
+							    alpnlen);
+		return;
 	default:
 		break;
 	};