Add 'proxy' option to 'listen-on' statement

This commit extends "listen-on" statement with "proxy" options that allows one to enable PROXYv2 support on a dedicated listener. It can have the following values: - "plain" to send PROXYv2 headers without encryption, even in the case of encrypted transports. - "encrypted" to send PROXYv2 headers encrypted right after the TLS handshake.
2025-08-31 06:25:31 +00:00 · 2023-10-30 17:03:30 +02:00
parent c9d526d84d
commit f650d3eb63
9 changed files with 168 additions and 42 deletions
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -471,25 +471,31 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 }

 static isc_result_t
-ns_interface_listenudp(ns_interface_t *ifp) {
+ns_interface_listenudp(ns_interface_t *ifp, isc_nm_proxy_type_t proxy) {
 	isc_result_t result;

 	/* Reserve space for an ns_client_t with the netmgr handle */
-	result = isc_nm_listenudp(ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr,
-				  ns_client_request, ifp,
-				  &ifp->udplistensocket);
+	if (proxy == ISC_NM_PROXY_NONE) {
+		result = isc_nm_listenudp(ifp->mgr->nm, ISC_NM_LISTEN_ALL,
+					  &ifp->addr, ns_client_request, ifp,
+					  &ifp->udplistensocket);
+	} else {
+		INSIST(proxy == ISC_NM_PROXY_PLAIN);
+		result = isc_nm_listenproxyudp(ifp->mgr->nm, ISC_NM_LISTEN_ALL,
+					       &ifp->addr, ns_client_request,
+					       ifp, &ifp->udplistensocket);
+	}
 	return (result);
 }

 static isc_result_t
-ns_interface_listentcp(ns_interface_t *ifp) {
+ns_interface_listentcp(ns_interface_t *ifp, isc_nm_proxy_type_t proxy) {
 	isc_result_t result;

 	result = isc_nm_listenstreamdns(
 		ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ns_client_request,
 		ifp, ns__client_tcpconn, ifp, ifp->mgr->backlog,
-		&ifp->mgr->sctx->tcpquota, NULL, ISC_NM_PROXY_NONE,
-		&ifp->tcplistensocket);
+		&ifp->mgr->sctx->tcpquota, NULL, proxy, &ifp->tcplistensocket);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
 			      "creating TCP socket: %s",
@@ -516,13 +522,14 @@ ns_interface_listentcp(ns_interface_t *ifp) {
 * TLS related options.
 */
 static isc_result_t
-ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) {
+ns_interface_listentls(ns_interface_t *ifp, isc_nm_proxy_type_t proxy,
+		       isc_tlsctx_t *sslctx) {
 	isc_result_t result;

 	result = isc_nm_listenstreamdns(
 		ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ns_client_request,
 		ifp, ns__client_tcpconn, ifp, ifp->mgr->backlog,
-		&ifp->mgr->sctx->tcpquota, sslctx, ISC_NM_PROXY_NONE,
+		&ifp->mgr->sctx->tcpquota, sslctx, proxy,
 		&ifp->tcplistensocket);

 	if (result != ISC_R_SUCCESS) {
@@ -566,9 +573,9 @@ load_http_endpoints(isc_nm_http_endpoints_t *epset, ns_interface_t *ifp,
 #endif /* HAVE_LIBNGHTTP2 */

 static isc_result_t
-ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
-			size_t neps, uint32_t max_clients,
-			uint32_t max_concurrent_streams) {
+ns_interface_listenhttp(ns_interface_t *ifp, isc_nm_proxy_type_t proxy,
+			isc_tlsctx_t *sslctx, char **eps, size_t neps,
+			uint32_t max_clients, uint32_t max_concurrent_streams) {
 #if HAVE_LIBNGHTTP2
 	isc_result_t result = ISC_R_FAILURE;
 	isc_nmsocket_t *sock = NULL;
@@ -585,7 +592,7 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
 		result = isc_nm_listenhttp(
 			ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr,
 			ifp->mgr->backlog, quota, sslctx, epset,
-			max_concurrent_streams, ISC_NM_PROXY_NONE, &sock);
+			max_concurrent_streams, proxy, &sock);
 	}

 	isc_nm_http_endpoints_detach(&epset);
@@ -629,6 +636,7 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
 	return (result);
 #else
 	UNUSED(ifp);
+	UNUSED(proxy);
 	UNUSED(sslctx);
 	UNUSED(eps);
 	UNUSED(neps);
@@ -660,7 +668,7 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,

 	if (elt->is_http) {
 		result = ns_interface_listenhttp(
-			ifp, elt->sslctx, elt->http_endpoints,
+			ifp, elt->proxy, elt->sslctx, elt->http_endpoints,
 			elt->http_endpoints_number, elt->http_max_clients,
 			elt->max_concurrent_streams);
 		if (result != ISC_R_SUCCESS) {
@@ -671,7 +679,7 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,
 	}

 	if (elt->sslctx != NULL) {
-		result = ns_interface_listentls(ifp, elt->sslctx);
+		result = ns_interface_listentls(ifp, elt->proxy, elt->sslctx);
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup_interface;
 		}
@@ -679,7 +687,7 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,
 		return (result);
 	}

-	result = ns_interface_listenudp(ifp);
+	result = ns_interface_listenudp(ifp, elt->proxy);
 	if (result != ISC_R_SUCCESS) {
 		if ((result == ISC_R_ADDRINUSE) && (addr_in_use != NULL)) {
 			*addr_in_use = true;
@@ -688,7 +696,7 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,
 	}

 	if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0)) {
-		result = ns_interface_listentcp(ifp);
+		result = ns_interface_listentcp(ifp, elt->proxy);
 		if (result != ISC_R_SUCCESS) {
 			if ((result == ISC_R_ADDRINUSE) &&
 			    (addr_in_use != NULL))