From 13edf4ccdeca9d3816ca38d0a1b8dacd7cafd9e0 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 11 Aug 2014 10:28:59 -0700
Subject: [PATCH] Actually disable TPROXY spoofing when PROXY protocol is used

Also, hide the TPROXY disable warning when TPROXY not used.
---
 src/cache_cf.cc    | 6 +++++-
 src/client_side.cc | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 7af208c5b7..3f6ea48f46 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -3609,7 +3609,11 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token)
 
     } else if (strcmp(token, "require-proxy-header") == 0) {
         s->flags.proxySurrogate = true;
-        debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)");
+        if (s->flags.tproxyIntercept) {
+            // receiving is still permitted, so we do not unset the TPROXY flag
+            // spoofing access control override takes care of the spoof disable later
+            debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)");
+        }
 
     } else if (strncmp(token, "defaultsite=", 12) == 0) {
         if (!s->flags.accelSurrogate) {
diff --git a/src/client_side.cc b/src/client_side.cc
index 75312e4377..a322090b7d 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2696,7 +2696,8 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
     if (http->clientConnection != NULL) {
         request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
         request->flags.interceptTproxy = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
-        if (request->flags.interceptTproxy) {
+        static const bool proxyProtocolPort = (conn->port != NULL) ? conn->port->flags.proxySurrogate : false;
+        if (request->flags.interceptTproxy && !proxyProtocolPort) {
             if (Config.accessList.spoof_client_ip) {
                 ACLFilledChecklist *checklist = clientAclChecklistCreate(Config.accessList.spoof_client_ip, http);
                 request->flags.spoofClientIp = (checklist->fastCheck() == ACCESS_ALLOWED);
-- 
2.47.3