BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer

As reported in issue #2882, using "no-send-proxy-v2" on a server line does
not properly disable the use of proxy-protocol if it was enabled in a
default-server directive in combination with other PP options. The reason
for this is that the sending of a proxy header is determined by a test on
srv->pp_opts without any distinction, so disabling PPv2 while leaving other
options results in a PPv1 header to be sent.

Let's fix this by explicitly testing for the presence of either send-proxy
or send-proxy-v2 when deciding to send a proxy header.

This can be backported to all versions. Thanks to Andre Sencioles (@asenci)
for reporting the issue and testing the fix.

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index 8ee956c8e3d66da9a566c5224ea9eb8f8e7ddd5b..fe13318f862115ea63dd5ea8646e55475c993dd5 100644 (file)
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -175,6 +175,7 @@ enum srv_init_state {
 /* configured server options for send-proxy (server->pp_opts) */
 #define SRV_PP_V1               0x0001   /* proxy protocol version 1 */
 #define SRV_PP_V2               0x0002   /* proxy protocol version 2 */
+#define SRV_PP_ENABLED          0x0003   /* proxy protocol version 1 or version 2 */
 #define SRV_PP_V2_SSL           0x0004   /* proxy protocol version 2 with SSL */
 #define SRV_PP_V2_SSL_CN        0x0008   /* proxy protocol version 2 with CN */
 #define SRV_PP_V2_SSL_KEY_ALG   0x0010   /* proxy protocol version 2 with cert key algorithm */

diff --git a/src/backend.c b/src/backend.c
index 867c6a850fc1c1e5d7742f30a9452a74da837afe..d8c9df8123af24779f8e31104c5c9e358f044a54 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1598,7 +1598,7 @@ int connect_server(struct stream *s)
        hash_params.src_addr = bind_addr;
 
        /* 5. proxy protocol */
-       if (srv && srv->pp_opts) {
+       if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
                proxy_line_ret = make_proxy_line(trash.area, trash.size, srv, cli_conn, s, strm_sess(s));
                if (proxy_line_ret) {
                        hash_params.proxy_prehash =
@@ -1932,7 +1932,7 @@ skip_reuse:
                /* process the case where the server requires the PROXY protocol to be sent */
                srv_conn->send_proxy_ofs = 0;
 
-               if (srv && srv->pp_opts) {
+               if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
                        srv_conn->flags |= CO_FL_SEND_PROXY;
                        srv_conn->send_proxy_ofs = 1; /* must compute size */
                }

diff --git a/src/proto_rhttp.c b/src/proto_rhttp.c
index ccd56cf85404da4dbaeb61b557d2cba09a4d3240..b81589936315122f5166847ed931ffd36fe58461 100644 (file)
--- a/src/proto_rhttp.c
+++ b/src/proto_rhttp.c
@@ -84,7 +84,7 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr
        set_host_port(conn->dst, srv->svc_port);
 
        conn->send_proxy_ofs = 0;
-       if (srv->pp_opts) {
+       if (srv->pp_opts & SRV_PP_ENABLED) {
                conn->flags |= CO_FL_SEND_PROXY;
                conn->send_proxy_ofs = 1; /* must compute size */
        }