]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6f6c6fa) | patch
MINOR: proto-tcp: Add support for TCP MD5 signature for listeners and servers
authorChristopher Faulet <cfaulet@haproxy.com>
Thu, 3 Jul 2025 13:16:47 +0000 (15:16 +0200)
committerChristopher Faulet <cfaulet@haproxy.com>
Thu, 3 Jul 2025 13:25:40 +0000 (15:25 +0200)
commit5232df57abe1d4ff1513e4642f1e247c399ebc64
tree1eb37046759b5ca04fbeeb9cf9c00c1a4aa9c4e8tree | snapshot
parent6f6c6fa4cbb8c6bb7617e7a6e0b1d42fe398881bcommit | diff
MINOR: proto-tcp: Add support for TCP MD5 signature for listeners and servers

This patch adds the support for the RFC2385 (Protection of BGP Sessions via
the + TCP MD5 Signature Option) for the listeners and the servers. The
feature is only available on Linux. Keywords are not exposed otherwise.

By setting "tcp-md5sig <password>" option on a bind line, TCP segments of
all connections instantiated from the listening socket will be signed with a
16-byte MD5 digest. The same option can be set on a server line to protect
outgoing connections to the corresponding server.

The primary use case for this option is to allow BGP to protect itself
against the introduction of spoofed TCP segments into the connection
stream. But it can be useful for any very long-lived TCP connections.

A reg-test was added and it will be executed only on linux. All other
targets are excluded.
doc/configuration.txt diff | blob | blame | history
include/haproxy/listener-t.h diff | blob | blame | history
include/haproxy/server-t.h diff | blob | blame | history
reg-tests/connection/tcp_md5_signature.vtc [new file with mode: 0644] blob
src/cfgparse-tcp.c diff | blob | blame | history
src/listener.c diff | blob | blame | history
src/proto_tcp.c diff | blob | blame | history
src/proxy.c diff | blob | blame | history
src/server.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git