MINOR: connection: add proxy-v2-options authority

author Emmanuel Hocdet <manu@gandi.net>

Thu, 1 Feb 2018 17:29:59 +0000 (18:29 +0100)

committer Willy Tarreau <w@1wt.eu>

Thu, 1 Mar 2018 10:38:32 +0000 (11:38 +0100)
author Emmanuel Hocdet <manu@gandi.net>
Thu, 1 Feb 2018 17:29:59 +0000 (18:29 +0100)
committer Willy Tarreau <w@1wt.eu>
Thu, 1 Mar 2018 10:38:32 +0000 (11:38 +0100)
diff --git a/doc/configuration.txt b/doc/configuration.txt

index bb1c4f1f60bc95a3c2890a59a2701627f25a8b92..a914c416cb93fea62e63dbc4adc9d42f0cb26bc4 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11724,7 +11724,9 @@ proxy-v2-options <option>[,<option>]*
    2 when "send-proxy-v2" is used. Options available are "ssl" (see also
    send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
    name of the used cipher, "cert-sig": signature algorithm of the used
-  certificate, "cert-key": key algorithm of the used certificate).
+  certificate, "cert-key": key algorithm of the used certificate), "authority":
+  host name value passed by the client (only sni from a tls connection is
+  supported).
  
  send-proxy-v2-ssl
    The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h

index d43ad69e7b479e45d0ee7634dea634c10df23d24..c6075eb7c04ad1050b68c903fa1b92ff9ec09fba 100644 (file)
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -50,6 +50,7 @@ void ssl_sock_free_srv_ctx(struct server *srv);
  void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
  int ssl_sock_load_ca(struct bind_conf *bind_conf);
  void ssl_sock_free_ca(struct bind_conf *bind_conf);
+const char *ssl_sock_get_sni(struct connection *conn);
  const char *ssl_sock_get_cert_sig(struct connection *conn);
  const char *ssl_sock_get_cipher_name(struct connection *conn);
  const char *ssl_sock_get_proto_version(struct connection *conn);
diff --git a/include/types/server.h b/include/types/server.h

index 91f8a9d4f6491b90dbe041155060d58e7c74abd3..6d0566be27a17cfa53820fcc37ff4313a4304d44 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -151,6 +151,7 @@ enum srv_initaddr {
  #define SRV_PP_V2_SSL_KEY_ALG   0x0010   /* proxy protocol version 2 with cert key algorithm */
  #define SRV_PP_V2_SSL_SIG_ALG   0x0020   /* proxy protocol version 2 with cert signature algorithm */
  #define SRV_PP_V2_SSL_CIPHER    0x0040   /* proxy protocol version 2 with cipher used */
+#define SRV_PP_V2_AUTHORITY     0x0080   /* proxy protocol version 2 with authority */
  
  /* function which act on servers need to return various errors */
  #define SRV_STATUS_OK       0   /* everything is OK. */
diff --git a/src/connection.c b/src/connection.c

index e8a02ea40e31c247203069a220e1f2e39ddc4b6d..206b22b72909d7ce8d6de47434b3e046f06cd729 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -1044,6 +1044,15 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
         }
  
  #ifdef USE_OPENSSL
+       if (srv->pp_opts & SRV_PP_V2_AUTHORITY) {
+               value = ssl_sock_get_sni(remote);
+               if (value) {
+                       if ((buf_len - ret) < sizeof(struct tlv))
+                               return 0;
+                       ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_AUTHORITY, strlen(value), value);
+               }
+       }
+
         if (srv->pp_opts & SRV_PP_V2_SSL) {
                 struct tlv_ssl *tlv;
                 int ssl_tlv_len = 0;
diff --git a/src/server.c b/src/server.c

index 77fc0c6ad6f4c4a8ae440d6210c8c1c0a1590fd0..f4cf45cd3221c634b3338f68d75e6d9b93778ca6 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -526,6 +526,8 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg,
                 } else if (!strcmp(p, "ssl-cipher")) {
                         newsrv->pp_opts |= SRV_PP_V2_SSL;
                         newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
+               } else if (!strcmp(p, "authority")) {
+                       newsrv->pp_opts |= SRV_PP_V2_AUTHORITY;
                 } else
                         goto fail;
         }
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index 0e39d10e6dabdca06c145c790d4b33307fed7190..271940a3591132d4ea363d84c342b8d1ce614cac 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5783,6 +5783,18 @@ const char *ssl_sock_get_cert_sig(struct connection *conn)
         return OBJ_nid2sn(OBJ_obj2nid(algorithm));
  }
  
+/* used for ppv2 authority */
+const char *ssl_sock_get_sni(struct connection *conn)
+{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+       if (!ssl_sock_is_ssl(conn))
+               return NULL;
+       return SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
+#else
+       return 0;
+#endif
+}
+
  /* used for logging/ppv2, may be changed for a sample fetch later */
  const char *ssl_sock_get_cipher_name(struct connection *conn)
  {
author	Emmanuel Hocdet <manu@gandi.net>
	Thu, 1 Feb 2018 17:29:59 +0000 (18:29 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 1 Mar 2018 10:38:32 +0000 (11:38 +0100)
doc/configuration.txt		patch \| blob \| blame \| history
include/proto/ssl_sock.h		patch \| blob \| blame \| history
include/types/server.h		patch \| blob \| blame \| history
src/connection.c		patch \| blob \| blame \| history
src/server.c		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history