Mercurial > prosody-modules
annotate mod_net_proxy/mod_net_proxy.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 03 Mar 2023 21:14:19 +0100 |
parents | 9d65eb3fcb15 |
children |
rev | line source |
---|---|
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
1 -- mod_net_proxy.lua |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2018 Pascal Mathis <mail@pascalmathis.com> |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
3 -- |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
4 -- Implementation of PROXY protocol versions 1 and 2 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
5 -- Specifications: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
6 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
7 module:set_global(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
8 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
9 -- Imports |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
10 local softreq = require "util.dependencies".softreq; |
4945
9d65eb3fcb15
mod_net_proxy: Fix for bitop with Lua 5.4
moparisthebest <admin@moparisthebest.com>
parents:
3562
diff
changeset
|
11 local bit = assert(softreq "bit" or softreq "bit32" or softreq "util.bitcompat", "No bit module found. See https://prosody.im/doc/depends#bitop"); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
12 local hex = require "util.hex"; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
13 local ip = require "util.ip"; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
14 local net = require "util.net"; |
2961
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
15 local set = require "util.set"; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
16 local portmanager = require "core.portmanager"; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
17 |
2931
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
18 -- Backwards Compatibility |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
19 local function net_ntop_bc(input) |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
20 if input:len() == 4 then |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
21 return string.format("%d.%d.%d.%d", input:byte(1, 4)); |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
22 elseif input:len() == 16 then |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
23 local octets = { nil, nil, nil, nil, nil, nil, nil, nil }; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
24 |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
25 -- Convert received bytes into IPv6 address and skip leading zeroes for each group |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
26 for index = 1, 8 do |
2935
7319fd5dbc89
mod_net_proxy: Fixed luacheck warnings
Pascal Mathis <mail@pascalmathis.com>
parents:
2931
diff
changeset
|
27 local high, low = input:byte(index * 2 - 1, index * 2); |
2931
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
28 octets[index] = string.format("%x", high * 256 + low); |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
29 end |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
30 local address = table.concat(octets, ":", 1, 8); |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
31 |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
32 -- Search for the longest sequence of zeroes |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
33 local token; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
34 local length = (address:match("^0:[0:]+()") or 1) - 1; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
35 for s in address:gmatch(":0:[0:]+") do |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
36 if length < #s then |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
37 length, token = #s, s; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
38 end |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
39 end |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
40 |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
41 -- Return the shortened IPv6 address |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
42 return address:gsub(token or "^0:[0:]+", "::", 1); |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
43 end |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
44 end |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
45 |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
46 local net_ntop = net.ntop or net_ntop_bc |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
47 |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
48 -- Utility Functions |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
49 local function _table_invert(input) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
50 local output = {}; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
51 for key, value in pairs(input) do |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
52 output[value] = key; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
53 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
54 return output; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
55 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
56 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
57 -- Constants |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
58 local ADDR_FAMILY = { UNSPEC = 0x0, INET = 0x1, INET6 = 0x2, UNIX = 0x3 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
59 local ADDR_FAMILY_STR = _table_invert(ADDR_FAMILY); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
60 local TRANSPORT = { UNSPEC = 0x0, STREAM = 0x1, DGRAM = 0x2 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
61 local TRANSPORT_STR = _table_invert(TRANSPORT); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
62 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
63 local PROTO_MAX_HEADER_LENGTH = 256; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
64 local PROTO_HANDLERS = { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
65 PROXYv1 = { signature = hex.from("50524F5859"), callback = nil }, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
66 PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil } |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
67 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
68 local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
69 |
2963
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
70 -- Configuration Variables |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
71 local config_mappings = module:get_option("proxy_port_mappings", {}); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
72 local config_ports = module:get_option_set("proxy_ports", {}); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
73 local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"}); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
74 |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
75 -- Persistent In-Memory Storage |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
76 local sessions = {}; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
77 local mappings = {}; |
2963
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
78 local trusted_networks = set.new(); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
79 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
80 -- Proxy Data Methods |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
81 local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
82 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
83 function proxy_data_mt:describe() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
84 return string.format("proto=%s/%s src=%s:%d dst=%s:%d", |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
85 self:addr_family_str(), self:transport_str(), self:src_addr(), self:src_port(), self:dst_addr(), self:dst_port()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
86 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
87 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
88 function proxy_data_mt:addr_family_str() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
89 return ADDR_FAMILY_STR[self._addr_family] or ADDR_FAMILY_STR[ADDR_FAMILY.UNSPEC]; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
90 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
91 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
92 function proxy_data_mt:transport_str() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
93 return TRANSPORT_STR[self._transport] or TRANSPORT_STR[TRANSPORT.UNSPEC]; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
94 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
95 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
96 function proxy_data_mt:version() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
97 return self._version; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
98 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
99 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
100 function proxy_data_mt:addr_family() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
101 return self._addr_family; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
102 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
103 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
104 function proxy_data_mt:transport() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
105 return self._transport; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
106 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
107 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
108 function proxy_data_mt:src_addr() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
109 return self._src_addr; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
110 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
111 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
112 function proxy_data_mt:src_port() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
113 return self._src_port; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
114 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
115 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
116 function proxy_data_mt:dst_addr() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
117 return self._dst_addr; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
118 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
119 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
120 function proxy_data_mt:dst_port() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
121 return self._dst_port; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
122 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
123 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
124 -- Protocol Handler Functions |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
125 PROTO_HANDLERS["PROXYv1"].callback = function(conn, session) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
126 local addr_family_mappings = { TCP4 = ADDR_FAMILY.INET, TCP6 = ADDR_FAMILY.INET6 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
127 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
128 -- Postpone processing if CRLF (PROXYv1 header terminator) does not exist within buffer |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
129 if session.buffer:find("\r\n") == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
130 return PROTO_HANDLER_STATUS.POSTPONE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
131 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
132 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
133 -- Declare header pattern and match current buffer against pattern |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
134 local header_pattern = "^PROXY (%S+) (%S+) (%S+) (%d+) (%d+)\r\n"; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
135 local addr_family, src_addr, dst_addr, src_port, dst_port = session.buffer:match(header_pattern); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
136 src_port, dst_port = tonumber(src_port), tonumber(dst_port); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
137 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
138 -- Ensure that header was successfully parsed and contains a valid address family |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
139 if addr_family == nil or src_addr == nil or dst_addr == nil or src_port == nil or dst_port == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
140 module:log("warn", "Received unparseable PROXYv1 header from %s", conn:ip()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
141 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
142 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
143 if addr_family_mappings[addr_family] == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
144 module:log("warn", "Received invalid PROXYv1 address family from %s: %s", conn:ip(), addr_family); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
145 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
146 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
147 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
148 -- Ensure that received source and destination ports are within 1 and 65535 (0xFFFF) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
149 if src_port <= 0 or src_port >= 0xFFFF then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
150 module:log("warn", "Received invalid PROXYv1 source port from %s: %d", conn:ip(), src_port); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
151 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
152 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
153 if dst_port <= 0 or dst_port >= 0xFFFF then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
154 module:log("warn", "Received invalid PROXYv1 destination port from %s: %d", conn:ip(), dst_port); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
155 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
156 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
157 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
158 -- Ensure that received source and destination address can be parsed |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
159 local _, err = ip.new_ip(src_addr); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
160 if err ~= nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
161 module:log("warn", "Received unparseable PROXYv1 source address from %s: %s", conn:ip(), src_addr); |
2975
7eb6fa9b03fd
mod_net_proxy: Added missing return when detecting unparseable PROXYv1 source address
Pascal Mathis <mail@pascalmathis.com>
parents:
2963
diff
changeset
|
162 return PROTO_HANDLER_STATUS.FAILURE, nil; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
163 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
164 _, err = ip.new_ip(dst_addr); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
165 if err ~= nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
166 module:log("warn", "Received unparseable PROXYv1 destination address from %s: %s", conn:ip(), dst_addr); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
167 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
168 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
169 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
170 -- Strip parsed header from session buffer and build proxy data |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
171 session.buffer = session.buffer:gsub(header_pattern, ""); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
172 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
173 local proxy_data = { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
174 _version = 1, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
175 _addr_family = addr_family, _transport = TRANSPORT.STREAM, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
176 _src_addr = src_addr, _src_port = src_port, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
177 _dst_addr = dst_addr, _dst_port = dst_port |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
178 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
179 setmetatable(proxy_data, proxy_data_mt); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
180 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
181 -- Return successful response with gathered proxy data |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
182 return PROTO_HANDLER_STATUS.SUCCESS, proxy_data; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
183 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
184 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
185 PROTO_HANDLERS["PROXYv2"].callback = function(conn, session) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
186 -- Postpone processing if less than 16 bytes are available |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
187 if #session.buffer < 16 then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
188 return PROTO_HANDLER_STATUS.POSTPONE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
189 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
190 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
191 -- Parse first 16 bytes of protocol header |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
192 local version = bit.rshift(bit.band(session.buffer:byte(13), 0xF0), 4); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
193 local command = bit.band(session.buffer:byte(13), 0x0F); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
194 local addr_family = bit.rshift(bit.band(session.buffer:byte(14), 0xF0), 4); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
195 local transport = bit.band(session.buffer:byte(14), 0x0F); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
196 local length = bit.bor(session.buffer:byte(16), bit.lshift(session.buffer:byte(15), 8)); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
197 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
198 -- Postpone processing if less than 16+<length> bytes are available |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
199 if #session.buffer < 16 + length then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
200 return PROTO_HANDLER_STATUS.POSTPONE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
201 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
202 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
203 -- Ensure that version number is correct |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
204 if version ~= 0x2 then |
2962
6b01600b9c02
mod_net_proxy: Adjusted log level of errors triggered by remote connections to 'warn'
Pascal Mathis <mail@pascalmathis.com>
parents:
2961
diff
changeset
|
205 module:log("warn", "Received unsupported PROXYv2 version from %s: %d", conn:ip(), version); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
206 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
207 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
208 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
209 local payload = session.buffer:sub(17); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
210 if command == 0x0 then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
211 -- Gather source/destination addresses and ports from local socket |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
212 local src_addr, src_port = conn:socket():getpeername(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
213 local dst_addr, dst_port = conn:socket():getsockname(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
214 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
215 -- Build proxy data based on real connection information |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
216 local proxy_data = { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
217 _version = version, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
218 _addr_family = addr_family, _transport = transport, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
219 _src_addr = src_addr, _src_port = src_port, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
220 _dst_addr = dst_addr, _dst_port = dst_port |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
221 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
222 setmetatable(proxy_data, proxy_data_mt); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
223 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
224 -- Return successful response with gathered proxy data |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
225 return PROTO_HANDLER_STATUS.SUCCESS, proxy_data; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
226 elseif command == 0x1 then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
227 local offset = 1; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
228 local src_addr, src_port, dst_addr, dst_port; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
229 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
230 -- Verify transport protocol is either STREAM or DGRAM |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
231 if transport ~= TRANSPORT.STREAM and transport ~= TRANSPORT.DGRAM then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
232 module:log("warn", "Received unsupported PROXYv2 transport from %s: 0x%02X", conn:ip(), transport); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
233 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
234 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
235 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
236 -- Parse source and destination addresses |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
237 if addr_family == ADDR_FAMILY.INET then |
2931
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
238 src_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
239 dst_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
240 elseif addr_family == ADDR_FAMILY.INET6 then |
2931
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
241 src_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16; |
e79b9a55aa2e
mod_net_proxy: Fixed backwards compatibility to Prosody 0.10
Pascal Mathis <mail@pascalmathis.com>
parents:
2930
diff
changeset
|
242 dst_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
243 elseif addr_family == ADDR_FAMILY.UNIX then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
244 src_addr = payload:sub(offset, offset + 107); offset = offset + 108; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
245 dst_addr = payload:sub(offset, offset + 107); offset = offset + 108; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
246 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
247 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
248 -- Parse source and destination ports |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
249 if addr_family == ADDR_FAMILY.INET or addr_family == ADDR_FAMILY.INET6 then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
250 src_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
251 -- luacheck: ignore 311 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
252 dst_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
253 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
254 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
255 -- Strip parsed header from session buffer and build proxy data |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
256 session.buffer = session.buffer:sub(17 + length); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
257 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
258 local proxy_data = { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
259 _version = version, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
260 _addr_family = addr_family, _transport = transport, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
261 _src_addr = src_addr, _src_port = src_port, |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
262 _dst_addr = dst_addr, _dst_port = dst_port |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
263 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
264 setmetatable(proxy_data, proxy_data_mt); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
265 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
266 -- Return successful response with gathered proxy data |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
267 return PROTO_HANDLER_STATUS.SUCCESS, proxy_data; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
268 else |
2962
6b01600b9c02
mod_net_proxy: Adjusted log level of errors triggered by remote connections to 'warn'
Pascal Mathis <mail@pascalmathis.com>
parents:
2961
diff
changeset
|
269 module:log("warn", "Received unsupported PROXYv2 command from %s: 0x%02X", conn:ip(), command); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
270 return PROTO_HANDLER_STATUS.FAILURE, nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
271 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
272 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
273 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
274 -- Wrap an existing connection with the provided proxy data. This will override several methods of the 'conn' object to |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
275 -- return the proxied source instead of the source which initiated the TCP connection. Afterwards, the listener of the |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
276 -- connection gets set according to the globally defined port<>service mappings and the methods 'onconnect' and |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
277 -- 'onincoming' are being called manually with the current session buffer. |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
278 local function wrap_proxy_connection(conn, session, proxy_data) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
279 -- Override and add functions of 'conn' object when source information has been collected |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
280 conn.proxyip, conn.proxyport = conn.ip, conn.port; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
281 if proxy_data:src_addr() ~= nil and proxy_data:src_port() ~= nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
282 conn.ip = function() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
283 return proxy_data:src_addr(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
284 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
285 conn.port = function() |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
286 return proxy_data:src_port(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
287 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
288 conn.clientport = conn.port; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
289 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
290 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
291 -- Attempt to find service by processing port<>service mappings |
3562
b33b2fbdc713
mod_net_proxy: Ensure port numbers are coerced into numbers
Kim Alvefur <zash@zash.se>
parents:
2997
diff
changeset
|
292 local mapping = mappings[tonumber(conn:serverport())]; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
293 if mapping == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
294 conn:close(); |
2962
6b01600b9c02
mod_net_proxy: Adjusted log level of errors triggered by remote connections to 'warn'
Pascal Mathis <mail@pascalmathis.com>
parents:
2961
diff
changeset
|
295 module:log("warn", "Connection %s@%s terminated: Could not find mapping for port %d", |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
296 conn:ip(), conn:proxyip(), conn:serverport()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
297 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
298 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
299 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
300 if mapping.service == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
301 local service = portmanager.get_service(mapping.service_name); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
302 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
303 if service ~= nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
304 mapping.service = service; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
305 else |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
306 conn:close(); |
2962
6b01600b9c02
mod_net_proxy: Adjusted log level of errors triggered by remote connections to 'warn'
Pascal Mathis <mail@pascalmathis.com>
parents:
2961
diff
changeset
|
307 module:log("warn", "Connection %s@%s terminated: Could not process mapping for unknown service %s", |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
308 conn:ip(), conn:proxyip(), mapping.service_name); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
309 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
310 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
311 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
312 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
313 -- Pass connection to actual service listener and simulate onconnect/onincoming callbacks |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
314 local service_listener = mapping.service.listener; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
315 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
316 module:log("info", "Passing proxied connection %s:%d to service %s", conn:ip(), conn:port(), mapping.service_name); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
317 conn:setlistener(service_listener); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
318 if service_listener.onconnect then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
319 service_listener.onconnect(conn); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
320 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
321 return service_listener.onincoming(conn, session.buffer); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
322 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
323 |
2963
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
324 local function is_trusted_proxy(conn) |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
325 -- If no trusted proxies were configured, trust any incoming connection |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
326 -- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1 |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
327 if trusted_networks:empty() then |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
328 return true; |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
329 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
330 |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
331 -- Iterate through all trusted proxies and check for match against connected IP address |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
332 local conn_ip = ip.new_ip(conn:ip()); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
333 for trusted_network in trusted_networks:items() do |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
334 if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
335 return true; |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
336 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
337 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
338 |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
339 -- Connection does not match any trusted proxy |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
340 return false; |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
341 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
342 |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
343 -- Network Listener Methods |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
344 local listener = {}; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
345 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
346 function listener.onconnect(conn) |
2997
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
347 -- Silently drop connections with an IP address of <nil>, which can happen when the socket was closed before the |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
348 -- responsible net.server backend was able to grab the IP address of the connecting client. |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
349 if conn:ip() == nil then |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
350 conn:close(); |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
351 return; |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
352 end |
97b30fec709c
mod_net_proxy: Fixed errors when connection with nil ip is being processed
Pascal Mathis <mail@pascalmathis.com>
parents:
2975
diff
changeset
|
353 |
2963
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
354 -- Check if connection is coming from a trusted proxy |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
355 if not is_trusted_proxy(conn) then |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
356 conn:close(); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
357 module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip()); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
358 return; |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
359 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
360 |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
361 -- Initialize session variables |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
362 sessions[conn] = { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
363 handler = nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
364 buffer = nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
365 }; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
366 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
367 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
368 function listener.onincoming(conn, data) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
369 -- Abort processing if no data has been received |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
370 if not data then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
371 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
372 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
373 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
374 -- Lookup session for connection and append received data to buffer |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
375 local session = sessions[conn]; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
376 session.buffer = session.buffer and session.buffer .. data or data; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
377 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
378 -- Attempt to determine protocol handler if not done previously |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
379 if session.handler == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
380 -- Match current session buffer against all known protocol signatures to determine protocol handler |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
381 for handler_name, handler in pairs(PROTO_HANDLERS) do |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
382 if session.buffer:find("^" .. handler.signature) ~= nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
383 session.handler = handler.callback; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
384 module:log("debug", "Detected %s connection from %s:%d", handler_name, conn:ip(), conn:port()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
385 break; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
386 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
387 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
388 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
389 -- Decide between waiting for a complete header signature or terminating the connection when no handler has been found |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
390 if session.handler == nil then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
391 -- Terminate connection if buffer size has exceeded tolerable maximum size |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
392 if #session.buffer > PROTO_MAX_HEADER_LENGTH then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
393 conn:close(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
394 module:log("warn", "Connection %s:%d terminated: No valid PROXY header within %d bytes", |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
395 conn:ip(), conn:port(), PROTO_MAX_HEADER_LENGTH); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
396 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
397 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
398 -- Skip further processing without a valid protocol handler |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
399 module:log("debug", "No valid header signature detected from %s:%d, waiting for more data...", |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
400 conn:ip(), conn:port()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
401 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
402 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
403 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
404 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
405 -- Execute proxy protocol handler and process response |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
406 local response, proxy_data = session.handler(conn, session); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
407 if response == PROTO_HANDLER_STATUS.SUCCESS then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
408 module:log("info", "Received PROXY header from %s: %s", conn:ip(), proxy_data:describe()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
409 return wrap_proxy_connection(conn, session, proxy_data); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
410 elseif response == PROTO_HANDLER_STATUS.POSTPONE then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
411 module:log("debug", "Postponed parsing of incomplete PROXY header received from %s", conn:ip()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
412 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
413 elseif response == PROTO_HANDLER_STATUS.FAILURE then |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
414 conn:close(); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
415 module:log("warn", "Connection %s terminated: Could not process PROXY header from client, " + |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
416 "see previous log messages.", conn:ip()); |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
417 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
418 else |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
419 -- This code should be never reached, but is included for completeness |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
420 conn:close(); |
2962
6b01600b9c02
mod_net_proxy: Adjusted log level of errors triggered by remote connections to 'warn'
Pascal Mathis <mail@pascalmathis.com>
parents:
2961
diff
changeset
|
421 module:log("warn", "Connection terminated: Received invalid protocol handler response with code %d", response); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
422 return; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
423 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
424 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
425 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
426 function listener.ondisconnect(conn) |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
427 sessions[conn] = nil; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
428 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
429 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
430 listener.ondetach = listener.ondisconnect; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
431 |
2963
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
432 -- Parse trusted proxies which can either contain single hosts or networks |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
433 if not config_trusted_proxies:empty() then |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
434 for trusted_proxy in config_trusted_proxies:items() do |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
435 local network = {}; |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
436 network.ip, network.cidr = ip.parse_cidr(trusted_proxy); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
437 trusted_networks:add(network); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
438 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
439 else |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
440 module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous"); |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
441 end |
504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
Pascal Mathis <mail@pascalmathis.com>
parents:
2962
diff
changeset
|
442 |
2961
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
443 -- Process all configured port mappings and generate a list of mapped ports |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
444 local mapped_ports = {}; |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
445 for port, mapping in pairs(config_mappings) do |
3562
b33b2fbdc713
mod_net_proxy: Ensure port numbers are coerced into numbers
Kim Alvefur <zash@zash.se>
parents:
2997
diff
changeset
|
446 port = tonumber(port); |
2961
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
447 table.insert(mapped_ports, port); |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
448 mappings[port] = { |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
449 service_name = mapping, |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
450 service = nil, |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
451 }; |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
452 end |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
453 |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
454 -- Log error message when user manually specifies ports without configuring the necessary port mappings |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
455 if not config_ports:empty() then |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
456 local missing_ports = config_ports - set.new(mapped_ports); |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
457 if not missing_ports:empty() then |
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
458 module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports)); |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
459 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
460 end |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
461 |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
462 -- Register the previously declared network listener |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
463 module:provides("net", { |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
464 name = "proxy"; |
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
465 listener = listener; |
2961
33227efa2cdc
mod_net_proxy: Automatically listen on all mapped ports if proxy_ports was not configured
Pascal Mathis <mail@pascalmathis.com>
parents:
2935
diff
changeset
|
466 default_ports = mapped_ports; |
2930
9a62780e7ee2
mod_net_proxy: New module implementing PROXY protocol versions 1 and 2
Pascal Mathis <mail@pascalmathis.com>
parents:
diff
changeset
|
467 }); |