From 7724dc92f460cd28b9062e857bc3fa578f0de5b5 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Fri, 16 Jun 2023 15:35:53 +0200 Subject: [PATCH] dnsdist: Clarify the proxy protocol documentation - A proxy protocol payload is actually required from incoming clients configured with setProxyProtocolACL, not just allowed. - setProxyProtocolApplyACLToProxiedClients was wrongly documented as setProxyProtocolApplyACL --- pdns/dnsdistdist/docs/advanced/passing-source-address.rst | 3 ++- pdns/dnsdistdist/docs/reference/config.rst | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pdns/dnsdistdist/docs/advanced/passing-source-address.rst b/pdns/dnsdistdist/docs/advanced/passing-source-address.rst index 3473d01ed2..106c0dca85 100644 --- a/pdns/dnsdistdist/docs/advanced/passing-source-address.rst +++ b/pdns/dnsdistdist/docs/advanced/passing-source-address.rst @@ -70,7 +70,8 @@ It works by pre-pending a small header at the very beginning of a UDP datagram o In order to use it in dnsdist, the ``useProxyProtocol`` parameter can be used when creating a :func:`new server `. This parameter indicates whether a Proxy Protocol version 2 (binary) header should be prepended to the query before forwarding it to the backend, over UDP or TCP. -Such a Proxy Protocol header can also be passed from the client to dnsdist, using :func:`setProxyProtocolACL` to specify which clients to accept it from. +Such a Proxy Protocol header can also be passed from the client to dnsdist, using :func:`setProxyProtocolACL` to specify which clients to accept it from. Note that a proxy protocol payload will be required from these clients, regular DNS queries will no longer be accepted if they are not preceded by a proxy protocol payload. + If :func:`setProxyProtocolApplyACLToProxiedClients` is set (default is false), the general ACL will be applied to the source IP address as seen by dnsdist first, but also to the source IP address provided in the Proxy Protocol header. Custom values can be added to the header via :meth:`DNSQuestion:addProxyProtocolValue`, :meth:`DNSQuestion:setProxyProtocolValues`, :func:`SetAdditionalProxyProtocolValueAction` and :func:`SetProxyProtocolValuesAction`. diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 444a19c901..b648936986 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -469,11 +469,11 @@ Access Control Lists .. versionadded:: 1.6.0 - Set the list of netmasks from which a Proxy Protocol header will be accepted, over UDP, TCP and DNS over TLS. The default is empty. Note that, if :func:`setProxyProtocolApplyACLToProxiedClients` is set (default is false), the general ACL will be applied to the source IP address as seen by dnsdist first, but also to the source IP address provided in the Proxy Protocol header. + Set the list of netmasks from which a Proxy Protocol header will be required, over UDP, TCP and DNS over TLS. The default is empty. Note that a proxy protocol payload will be required from these clients, regular DNS queries will no longer be accepted if they are not preceded by a proxy protocol payload. Be also aware that, if :func:`setProxyProtocolApplyACLToProxiedClients` is set (default is false), the general ACL will be applied to the source IP address as seen by dnsdist first, but also to the source IP address provided in the Proxy Protocol header. :param {str} netmasks: A table of CIDR netmask, e.g. ``{"192.0.2.0/24", "2001:DB8:14::/56"}``. Without a subnetmask, only the specific address is allowed. -.. function:: setProxyProtocolApplyACL(apply) +.. function:: setProxyProtocolApplyACLToProxiedClients(apply) .. versionadded:: 1.6.0 -- 2.47.2