Mercurial > prosody-modules
comparison mod_net_proxy/README.markdown @ 2963:504bb330e910
mod_net_proxy: Added proxy_trusted_proxies for whitelisting incoming connections
| author | Pascal Mathis <mail@pascalmathis.com> |
|---|---|
| date | Wed, 28 Mar 2018 20:47:41 +0200 |
| parents | 33227efa2cdc |
| children | 1c336d0d0214 |
comparison
equal
deleted
inserted
replaced
| 2962:6b01600b9c02 | 2963:504bb330e910 |
|---|---|
| 35 shall be used or not, you need to configure separate ports for all the services | 35 shall be used or not, you need to configure separate ports for all the services |
| 36 that should be exposed with PROXY protocol support: | 36 that should be exposed with PROXY protocol support: |
| 37 | 37 |
| 38 ```lua | 38 ```lua |
| 39 --[[ | 39 --[[ |
| 40 Hint: While you can manually override the ports this module is listening on with | 40 Maps TCP ports to a specific Prosody network service. Further information about |
| 41 the "proxy_ports" directive, it is highly recommended to not set it and instead | 41 available service names can be found further down below in the module documentation. |
| 42 only configure the appropriate mappings with "proxy_port_mappings", which will | 42 ]]-- |
| 43 automatically start listening on all mapped ports. | |
| 44 ]]-- | |
| 45 | |
| 46 proxy_port_mappings = { | 43 proxy_port_mappings = { |
| 47 [15222] = "c2s", | 44 [15222] = "c2s", |
| 48 [15269] = "s2s" | 45 [15269] = "s2s" |
| 49 } | 46 } |
| 47 | |
| 48 --[[ | |
| 49 Specifies a list of trusted hosts or networks which may use the PROXY protocol | |
| 50 If not specified, it will default to: 127.0.0.1, ::1 (local connections only) | |
| 51 An empty table ({}) can be configured to allow connections from any source. | |
| 52 Please read the module documentation about potential security impact. | |
| 53 ]]-- | |
| 54 proxy_trusted_proxies = { | |
| 55 "192.168.10.1", | |
| 56 "172.16.0.0/16" | |
| 57 } | |
| 58 | |
| 59 --[[ | |
| 60 While you can manually override the ports this module is listening on with | |
| 61 the "proxy_ports" directive, it is highly recommended to not set it and instead | |
| 62 only configure the appropriate mappings with "proxy_port_mappings", which will | |
| 63 automatically start listening on all mapped ports. | |
| 64 | |
| 65 Example: proxy_ports = { 15222, 15269 } | |
| 66 ]]-- | |
| 50 ``` | 67 ``` |
| 51 | 68 |
| 52 The above example configuration, which needs to be placed in the global section, | 69 The above example configuration, which needs to be placed in the global section, |
| 53 would listen on both tcp/15222 and tcp/15269. All incoming connections to these ports | 70 would listen on both tcp/15222 and tcp/15269. All incoming connections have to |
| 54 have to be initiated by a PROXYv1 or PROXYv2 sender and will get mapped to the | 71 originate from trusted hosts/networks (configured by _proxy_trusted_proxies_) and |
| 55 configured service name after initializating the connection. | 72 must be initiated by a PROXYv1 or PROXYv2 sender. After processing the PROXY |
| 73 protocol, those connections will get mapped to the configured service name. | |
| 56 | 74 |
| 57 Please note that each port handled by _mod_net_proxy_ must be mapped to another | 75 Please note that each port handled by _mod_net_proxy_ must be mapped to another |
| 58 service name by adding an item to _proxy_port_mappings_, otherwise a warning will | 76 service name by adding an item to _proxy_port_mappings_, otherwise a warning will |
| 59 be printed during module initialization and all incoming connections to unmapped ports | 77 be printed during module initialization and all incoming connections to unmapped ports |
| 60 will be dropped after processing the PROXY protocol requests. | 78 will be dropped after processing the PROXY protocol requests. |