-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forward proxy-protocol correctly to tls backends #112
Conversation
Current dependencies on/for this PR: This comment was auto-generated by Graphite. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. double-checked proxy_protocol
is advancing the buffer during parse.
Mmm, I'm using the parse error wrong. Gonna try to isolate the header reading logic to better test it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think I've wrapped my head around what proxy_proto
is up to now. Left some comments, but nothing that's a hard blocker.
43ad5e3
to
e94e025
Compare
Currently, we ignore proxy protocol settings in our tunnels. This means that,
for tls and https connections that are terminated at the ngrok edge, the
incoming connections look like
ProxyProtoStream(PlainTextStream)
. When wethen terminate tls to the backend/upstream/whatever you want to call it, the
final stream looks like
TlsStream(ProxyProtoStream(PlainTextStream))
, whereit's expected to look like
ProxyProtoStream(TlsStream(PlainTextStream))
,since proxy-protocol is a lower layer than TLS.
To that end, this change plumbs the proxy-proto setting through to the endpoint
connection object, reads the header out of the stream, and then makes sure to
write that to the upstream first before terminating TLS.