Mercurial > prosody-modules
view mod_net_proxy/README.markdown @ 5870:1ac4a59ac575
mod_firewall: Fix syntax error (thanks mirux)
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 14 Mar 2024 09:48:30 +0000 |
parents | 9d65eb3fcb15 |
children |
line wrap: on
line source
--- labels: - 'Stage-Alpha' summary: 'Implementation of PROXY protocol versions 1 and 2' ... Introduction ============ This module implements the PROXY protocol in versions 1 and 2, which fulfills the following usecase as described within the official protocol specifications: > Relaying TCP connections through proxies generally involves a loss of the > original TCP connection parameters such as source and destination addresses, > ports, and so on. > > The PROXY protocol's goal is to fill the server's internal structures with the > information collected by the proxy that the server would have been able to get > by itself if the client was connecting directly to the server instead of via a > proxy. You can find more information about the PROXY protocol on [the official website](https://www.haproxy.com/blog/haproxy/proxy-protocol/) or within [the official protocol specifications.](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) Usage ===== Copy the plugin into your prosody's modules directory. And add it between your enabled modules into the global section (modules\_enabled). As the PROXY protocol specifications do not allow guessing if the PROXY protocol shall be used or not, you need to configure separate ports for all the services that should be exposed with PROXY protocol support: ```lua --[[ Maps TCP ports to a specific Prosody network service. Further information about available service names can be found further down below in the module documentation. ]]-- proxy_port_mappings = { [15222] = "c2s", [15269] = "s2s" } --[[ Specifies a list of trusted hosts or networks which may use the PROXY protocol If not specified, it will default to: 127.0.0.1, ::1 (local connections only) An empty table ({}) can be configured to allow connections from any source. Please read the module documentation about potential security impact. ]]-- proxy_trusted_proxies = { "192.168.10.1", "172.16.0.0/16" } --[[ While you can manually override the ports this module is listening on with the "proxy_ports" directive, it is highly recommended to not set it and instead only configure the appropriate mappings with "proxy_port_mappings", which will automatically start listening on all mapped ports. Example: proxy_ports = { 15222, 15269 } ]]-- ``` The above example configuration, which needs to be placed in the global section, would listen on both tcp/15222 and tcp/15269. All incoming connections have to originate from trusted hosts/networks (configured by _proxy_trusted_proxies_) and must be initiated by a PROXYv1 or PROXYv2 sender. After processing the PROXY protocol, those connections will get mapped to the configured service name. Please note that each port handled by _mod_net_proxy_ must be mapped to another service name by adding an item to _proxy_port_mappings_, otherwise a warning will be printed during module initialization and all incoming connections to unmapped ports will be dropped after processing the PROXY protocol requests. The service name can be found by analyzing the source of the module, as it is the same name as specified within the _name_ attribute when calling `module:provides("net", ...)` to initialize a network listener. The following table shows the names for the most commonly used Prosody modules: ------------- -------------------------- **Module** **Service Name** c2s c2s (Plain/StartTLS) s2s s2s (Plain/StartTLS) proxy65 proxy65 (Plain) http http (Plain) net_multiplex multiplex (Plain/StartTLS) ------------- -------------------------- This module should work with all services that are providing ports which either offer plaintext or StartTLS-based encryption. Please note that instead of using this module for HTTP-based services (BOSH/WebSocket) it might be worth resorting to use proxy which is able to process HTTP and insert a _X-Forwarded-For_ header instead. Example ======= This example provides you with a Prosody server that accepts regular connections on tcp/5222 (C2S) and tcp/5269 (S2S) while also offering dedicated PROXY protocol ports for both modules, configured as tcp/15222 (C2S) and tcp/15269 (S2S): ```lua c2s_ports = {5222} s2s_ports = {5269} proxy_port_mappings = { [15222] = "c2s", [15269] = "s2s" } ``` After adjusting the global configuration of your Prosody server accordingly, you can configure your desired sender accordingly. Below is an example for a working HAProxy configuration which will listen on the default XMPP ports (5222+5269) and connect to your XMPP backend running on 192.168.10.10 using the PROXYv2 protocol: ``` defaults d-xmpp log global mode tcp option redispatch option tcplog option tcpka option clitcpka option srvtcpka timeout connect 5s timeout client 24h timeout server 60m frontend f-xmpp bind :::5222,:::5269 v4v6 use_backend b-xmpp-c2s if { dst_port eq 5222 } use_backend b-xmpp-s2s if { dst_port eq 5269 } backend b-xmpp-c2s balance roundrobin option independent-streams server mycoolprosodybox 192.168.10.10:15222 send-proxy-v2 backend b-xmpp-s2s balance roundrobin option independent-streams server mycoolprosodybox 192.168.10.10:15269 send-proxy-v2 ``` Limitations =========== It is currently not possible to use this module for offering PROXY protocol support on SSL/TLS ports, which will automatically initiate a SSL handshake. This might be possible in the future, but it currently does not look like this could easily be implemented due to the current handling of such connections. Important Notes =============== Please do not expose any ports offering PROXY protocol to the internet - while regular clients will be unable to use them anyways, it is outright dangerous and allows anyone to spoof the actual IP address. It is highly recommended to only allow PROXY connections from trusted sources, e.g. your loadbalancer. Compatibility ============= ----- ----- trunk Works 0.12 Works 0.11 Works 0.10 Works ----- -----