Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forward proxy-protocol correctly to tls backends #112

Merged
merged 9 commits into from
Oct 3, 2023
Merged

Forward proxy-protocol correctly to tls backends #112

merged 9 commits into from
Oct 3, 2023

Conversation

jrobsonchase
Copy link
Collaborator

Currently, we ignore proxy protocol settings in our tunnels. This means that,
for tls and https connections that are terminated at the ngrok edge, the
incoming connections look like ProxyProtoStream(PlainTextStream). When we
then terminate tls to the backend/upstream/whatever you want to call it, the
final stream looks like TlsStream(ProxyProtoStream(PlainTextStream)), where
it's expected to look like ProxyProtoStream(TlsStream(PlainTextStream)),
since proxy-protocol is a lower layer than TLS.

To that end, this change plumbs the proxy-proto setting through to the endpoint
connection object, reads the header out of the stream, and then makes sure to
write that to the upstream first before terminating TLS.

@jrobsonchase
Copy link
Collaborator Author

Current dependencies on/for this PR:

This comment was auto-generated by Graphite.

bobzilladev
bobzilladev approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@bobzilladev bobzilladev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. double-checked proxy_protocol is advancing the buffer during parse.

@jrobsonchase
Copy link
Collaborator Author

Mmm, I'm using the parse error wrong. Gonna try to isolate the header reading logic to better test it.

bobzilladev
bobzilladev approved these changes Oct 2, 2023
View reviewed changes
Copy link
Contributor

@bobzilladev bobzilladev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think I've wrapped my head around what proxy_proto is up to now. Left some comments, but nothing that's a hard blocker.

ngrok/src/proxy_proto.rs Outdated Show resolved Hide resolved
ngrok/src/proxy_proto.rs Show resolved Hide resolved
ngrok/src/proxy_proto.rs Outdated Show resolved Hide resolved
@jrobsonchase jrobsonchase merged commit 44f6f1d into main Oct 3, 2023
11 checks passed
@jrobsonchase jrobsonchase deleted the josh/forward-proxy-proto branch October 3, 2023 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobzilladev bobzilladev bobzilladev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrobsonchase @bobzilladev