From: Bertrand Jacquin Date: Mon, 6 Jun 2016 14:35:39 +0000 (+0100) Subject: MINOR: tcp: add "tcp-request connection expect-netscaler-cip layer4" X-Git-Tag: v1.7-dev4~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9075968356738583a33fe8f9862c6fa248dceb7b;p=thirdparty%2Fhaproxy.git MINOR: tcp: add "tcp-request connection expect-netscaler-cip layer4" This configures the client-facing connection to receive a NetScaler Client IP insertion protocol header before any byte is read from the socket. This is equivalent to having the "accept-netscaler-cip" keyword on the "bind" line, except that using the TCP rule allows the PROXY protocol to be accepted only for certain IP address ranges using an ACL. This is convenient when multiple layers of load balancers are passed through by traffic coming from public hosts. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 8a8055dff3..45e2e06d73 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8652,6 +8652,15 @@ tcp-request connection [{if | unless} ] of load balancers are passed through by traffic coming from public hosts. + - expect-netscaler-cip layer4 : + configures the client-facing connection to receive a NetScaler Client + IP insertion protocol header before any byte is read from the socket. + This is equivalent to having the "accept-netscaler-cip" keyword on the + "bind" line, except that using the TCP rule allows the PROXY protocol + to be accepted only for certain IP address ranges using an ACL. This + is convenient when multiple layers of load balancers are passed + through by traffic coming from public hosts. + - capture len : This only applies to "tcp-request content" rules. It captures sample expression from the request buffer, and converts it to a @@ -9746,7 +9755,9 @@ accept-netscaler-cip protocol, unless it is violated, in which case the real address will still be used. This keyword combined with support from external components can be used as an efficient and reliable alternative to the X-Forwarded-For - mechanism which is not always reliable and not even always usable. + mechanism which is not always reliable and not even always usable. See also + "tcp-request connection expect-netscaler-cip" for a finer-grained setting of + which client is allowed to use the protocol. accept-proxy Enforces the use of the PROXY protocol over any connection accepted by any of diff --git a/include/types/action.h b/include/types/action.h index 742252e109..fce6bc87bb 100644 --- a/include/types/action.h +++ b/include/types/action.h @@ -83,6 +83,7 @@ enum act_name { /* tcp actions */ ACT_TCP_EXPECT_PX, + ACT_TCP_EXPECT_CIP, ACT_TCP_CLOSE, /* close at the sender's */ ACT_TCP_CAPTURE, /* capture a fetched sample */ diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 53447037d9..83bdff8789 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1399,6 +1399,10 @@ int tcp_exec_req_rules(struct session *sess) conn->flags |= CO_FL_ACCEPT_PROXY; conn_sock_want_recv(conn); } + else if (rule->action == ACT_TCP_EXPECT_CIP) { + conn->flags |= CO_FL_ACCEPT_CIP; + conn_sock_want_recv(conn); + } else { /* Custom keywords. */ if (!rule->action_ptr) @@ -1828,6 +1832,24 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type, arg += 2; rule->action = ACT_TCP_EXPECT_PX; } + else if (strcmp(args[arg], "expect-netscaler-cip") == 0) { + if (strcmp(args[arg+1], "layer4") != 0) { + memprintf(err, + "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')", + args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]); + return -1; + } + + if (!(where & SMP_VAL_FE_CON_ACC)) { + memprintf(err, + "'%s %s' is not allowed in '%s %s' rules in %s '%s'", + args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id); + return -1; + } + + arg += 2; + rule->action = ACT_TCP_EXPECT_CIP; + } else { struct action_kw *kw; if (where & SMP_VAL_FE_CON_ACC) {