<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Hi </span><span class="il" style="background-color:rgb(255,255,204);color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">Roger</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">,</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">The PROXY protocol is something that has been discussed, and it's addition seen as something we'd like to have in Varnish. There is however, as far as I know, no work in progress other than your own to add it to Varnish. And as you write, it would make it much more convenient to use SSL terminators with Varnish. </div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
I have had a look at your current patch, and while it will work, I believe it is a bit too hackish to be considered for inclusion in it's current form. As the PROXY protocol is a wrapper protocol of sorts, it should be handled specifically with it's own parsing and verification, and then handed over to the HTTP parsing when that has been verified. Your current automagic parsing by piggybacking on the HTTP parsing also has security implications, as it allows a client to craft PROXY lines into the stream that will be picked up, which can be used as an attack vector.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
I believe that adding this to Varnish will be much easier to accomplish using current master as the basis. This because a lot of structural changes in preparation for multiprotocol support has already been done there, and this work is not available on the 3.0 or the -plus branch. Some thoughts outlined:</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><ul><li style="margin-left:15px">The support should be linked to the listening socket, so that the wrapper protocol can be verified and completed before treating it as an HTTP socket. (This socket will then only accept PROXY connections, not regular HTTP connections)</li>
<li style="margin-left:15px">Either a separate FSM should be defined, or special steps of the http1_fsm defined, to handle the PROXY initial states. When the PROXY protocol has been dealt with, state processing should jump to the HTTP. (Requiring some FSM indirection pointer on the sessions, pointing to the current FSM in use).</li>
<li style="margin-left:15px">The addresses parsed from the PROXY lines should replace the client.ip and client.port values. This will allow it to be used with existing VCL scripts and ACL checks, without having to code in special support in VCL configurations. (Discussion item: Should the PROXY ip and port be visible to VCL?)</li>
<li style="margin-left:15px">Any memory allocations necessary should be done on the request object's workspace. This should then be allocated at the front of this before handing the request object to the HTTP FSM. (If the PROXY ip and port is not stored, there might not be need for any dynamic memory allocation)</li>
</ul><div>These thoughts are subject to Poul-Henning's review and opinions as he is the architect of Varnish. He is busy with other major changes at the moment, so he might not have the time to look into this in detail at this time.</div>
</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
Regards,</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Martin Blix Grydeland</div><br><div class="gmail_quote">On Mon, Dec 3, 2012 at 3:10 PM, Roger Nesbitt <span dir="ltr"><<a href="mailto:roger@seriousorange.com" target="_blank">roger@seriousorange.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Replying to myself, I decided to jump in and just see how far I could get. Looks like I've got something working, a patch of my prototype is here:</div>
<div><br></div><div> <a href="http://seriousorange.com/varnish-proxy-proto.patch" target="_blank">http://seriousorange.com/varnish-proxy-proto.patch</a></div><div><br></div><div>The one obvious thing wrong with it is that I'm using malloc() to get some memory for configuration (and never freeing it); I can't figure out which memory routines are the right ones to use. Hopefully someone can point me in the right direction with that.</div>
<div><br></div><div>Comments gratefully appreciated.</div><div>Roger</div><div><br></div><div><div>Le 3 déc. 2012 à 08:35, Roger Nesbitt a écrit :</div><br><blockquote type="cite"><div><div class="h5"><div style="word-wrap:break-word">
Hello,<div><br></div><div>I've got a big chunk of time free and would like to scratch my own itch by implementing the PROXY protocol, as defined at this URL:</div><div><a href="http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt" target="_blank">http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt</a></div>
<div><br></div><div>My thoughts are to initially implement version 1 of the protocol as part of the HTTP server component. This will allow SSL frontends such as stunnel to pass through client IP information, a feature that seems to be often requested.</div>
<div><br></div><div>I'm completely new to the Varnish source; after having a little look today I assume that a VMOD will not be possible due to the integration required into the HTTP parser.</div><div><br></div><div>On first looks, I'm thinking of a detection hook in http1_detect(), although I'd have to figure out some way to indicate that it's the first http request handled on a new connection. If a PROXY line is detected, the code would put the source/destination IP addresses and ports into new variables (maybe something like proxy.source_ip, proxy.dest_ip, proxy.source_port, proxy.dest_port) and leave it up to the user to build an X-Forwarded-For header in VCL should they wish (after checking that client.ip is trusted.)</div>
<div><br></div><div>Detecting the PROXY line should just be a single memcmp; I'm not sure whether the community would want this feature to be able to be manually enabled and disabled.</div><div><br></div><div>Is anyone else currently working on this? Does this idea and general strategy seem sound?</div>
<div><br></div><div>Thanks for your help and suggestions.</div><div>Roger</div></div></div></div>_______________________________________________<br>varnish-dev mailing list<br><a href="mailto:varnish-dev@varnish-cache.org" target="_blank">varnish-dev@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev</a></blockquote></div><br></div><br>_______________________________________________<br>
varnish-dev mailing list<br>
<a href="mailto:varnish-dev@varnish-cache.org">varnish-dev@varnish-cache.org</a><br>
<a href="https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev" target="_blank">https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>
<div><table border="0" cellpadding="0" cellspacing="0" style="font-size:12px;line-height:1.5em;font-family:'Helvetica Neue',Arial,sans-serif;color:rgb(102,102,102);width:550px;border-top-width:1px;border-top-style:solid;border-top-color:rgb(238,238,238);border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);margin-top:20px;padding-top:5px;padding-bottom:5px">
<tbody><tr><td width="100"><a href="http://varnish-software.com" target="_blank"><img src="http://www.varnish-software.com/static/media/logo-email.png"></a><span></span><span></span></td><td><strong style="font-size:14px;color:rgb(34,34,34)">Martin Blix Grydeland</strong><br>
Senior Developer | Varnish Software AS<br>Cell: +47 21 98 92 60<br><span style="font-weight:bold">We Make Websites Fly!</span></td></tr></tbody></table></div><br>