From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 2 Sep 2014 13:35:46 +0000 (-0700)
Subject: Support receiving PROXY protocol version 1 and 2.
X-Git-Tag: SQUID_3_5_0_1~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e96d41538a60ced489d2d3e226117768d0ceaba;p=thirdparty%2Fsquid.git

Support receiving PROXY protocol version 1 and 2.

PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.

stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.

This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
 The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.


Furture Work:
 * support sending PROXY protocol to cache_peers
 * support receiving PROXY protocol on https_port
 * rework the PROXY parse logics as a Parser-NG child parser.
---

6e96d41538a60ced489d2d3e226117768d0ceaba
diff --cc doc/release-notes/release-3.5.sgml
index 250479d82c,45e5632290..8f5f0e702e
--- a/doc/release-notes/release-3.5.sgml
+++ b/doc/release-notes/release-3.5.sgml
@@@ -223,6 -224,41 +224,50 @@@ Most user-facing changes are reflected 
      <item>No caching support -- no reliable Request URIs for that (see above).
  </itemize>
  
+ <sect1>Receive PROXY protocol, Versions 1 & 2
+ <p>More info at <url url="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">
+ 
+ <p>PROXY protocol provides a simple way for proxies and tunnels of any kind to
+    relay the original client source details without having to alter or understand
+    the protocol being relayed on the connection.
+ 
+ <p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol.
+    An http_port which has been configured to receive this protocol may only be used to
+    receive traffic from client software sending in this protocol.
+    HTTP traffic without the PROXY header is not accepted on such a port.
+ 
+ <p>The <em>accel</em> and <em>intercept</em> options are still used to identify the
+    traffic syntax being delivered by the client proxy.
+ 
+ <p>Squid can be configured by adding an <em>http_port</em>
+    with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em>
+    must also be configured with <em>src</em> ACLs to whitelist proxies which are
+    trusted to send correct client details.
+ 
+ <p>Forward-proxy traffic from a client proxy:
+ <verbatim>
++ acl frontend src 192.0.2.1
+  http_port 3128 require-proxy-header
 - proxy_protocol_access allow localhost
++ proxy_protocol_access allow frontend
+ </verbatim>
+ 
+ <p>Intercepted traffic from a client proxy or tunnel:
+ <verbatim>
++ acl frontend src 192.0.2.2
+  http_port 3128 intercept require-proxy-header
 - proxy_protocol_access allow localhost
++ proxy_protocol_access allow frontend
++</verbatim>
++
++<p>Reverse-proxy traffic from a frontend load balancer sending PROXY protocol:
++<verbatim>
++ acl frontend src 192.0.2.3
++ http_port 3128 accel require-proxy-header
++ proxy_protocol_access allow frontend
+ </verbatim>
+ 
+ <p><em>Known Issue:</em>
 -   Use of <em>require-proxy-header</em> on <em>https_port</em> is not supported.
++   Use of <em>require-proxy-header</em> on <em>https_port</em> and <em>ftp_port</em> is not supported.
+ 
  
  <sect>Changes to squid.conf since Squid-3.4
  <p>