From db5f833cc72a1ceb812dde55cf926858f61c086b Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Tue, 27 Dec 2022 12:10:45 +0100
Subject: [PATCH] haxproxy: send before TLS handhshake

- reverse order of haproxy and final ssl cfilter

- make haproxy avaiable on PROXY builds, independent of HTTP support as
  it can be used with any protocol.

Reported-by: Sergio-IME on github
Fixes #10165
Closes #10167
---
 lib/cfilters.c   | 15 +++++++--------
 lib/http_proxy.c |  5 ++++-
 lib/http_proxy.h |  6 ++++--
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/lib/cfilters.c b/lib/cfilters.c
index 8b05fbc8f4..348c09d7e4 100644
--- a/lib/cfilters.c
+++ b/lib/cfilters.c
@@ -319,7 +319,14 @@ CURLcode Curl_conn_setup(struct Curl_easy *data,
         if(result)
           goto out;
       }
+    }
 #endif /* !CURL_DISABLE_HTTP */
+
+    /* HAProxy protocol comes *before* SSL, see #10165 */
+    if(data->set.haproxyprotocol) {
+      result = Curl_conn_haproxy_add(data, conn, sockindex);
+      if(result)
+        goto out;
     }
 #endif /* !CURL_DISABLE_PROXY */
 
@@ -335,14 +342,6 @@ CURLcode Curl_conn_setup(struct Curl_easy *data,
     (void)ssl_mode;
 #endif /* USE_SSL */
 
-#if !defined(CURL_DISABLE_PROXY) && !defined(CURL_DISABLE_HTTP)
-    if(data->set.haproxyprotocol) {
-      result = Curl_conn_haproxy_add(data, conn, sockindex);
-      if(result)
-        goto out;
-    }
-#endif /* !CURL_DISABLE_PROXY && !CURL_DISABLE_HTTP */
-
   }
   DEBUGASSERT(conn->cfilter[sockindex]);
   cf = data->conn->cfilter[sockindex];
diff --git a/lib/http_proxy.c b/lib/http_proxy.c
index e30730acab..56a7bd4aaf 100644
--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
@@ -1195,6 +1195,9 @@ CURLcode Curl_conn_http_proxy_add(struct Curl_easy *data,
   return result;
 }
 
+#endif /* !CURL_DISABLE_PROXY &6 ! CURL_DISABLE_HTTP */
+
+#if !defined(CURL_DISABLE_PROXY)
 
 static CURLcode send_haproxy_header(struct Curl_cfilter*cf,
                                     struct Curl_easy *data)
@@ -1280,4 +1283,4 @@ CURLcode Curl_conn_haproxy_add(struct Curl_easy *data,
   return result;
 }
 
-#endif /* !CURL_DISABLE_PROXY &6 ! CURL_DISABLE_HTTP */
+#endif /* !CURL_DISABLE_PROXY */
diff --git a/lib/http_proxy.h b/lib/http_proxy.h
index dfdc0e72ba..935ae01524 100644
--- a/lib/http_proxy.h
+++ b/lib/http_proxy.h
@@ -27,19 +27,21 @@
 #include "curl_setup.h"
 #include "urldata.h"
 
-#if !defined(CURL_DISABLE_PROXY) && !defined(CURL_DISABLE_HTTP)
+#if !defined(CURL_DISABLE_PROXY)
 
+#if !defined(CURL_DISABLE_HTTP)
 /* Default proxy timeout in milliseconds */
 #define PROXY_TIMEOUT (3600*1000)
 
 CURLcode Curl_conn_http_proxy_add(struct Curl_easy *data,
                                   struct connectdata *conn,
                                   int sockindex);
+#endif /* !CURL_DISABLE_HTTP */
 
 CURLcode Curl_conn_haproxy_add(struct Curl_easy *data,
                                struct connectdata *conn,
                                int sockindex);
 
-#endif /* !CURL_DISABLE_PROXY && !CURL_DISABLE_HTTP */
+#endif /* !CURL_DISABLE_PROXY */
 
 #endif /* HEADER_CURL_HTTP_PROXY_H */
-- 
2.47.3