proxy protocol support added

docs updated
SenseUnit · Jan 13, 2025 · 1e82281 · 1e82281
1 parent 882078d
commit 1e82281
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ Simple, scriptable, secure forward proxy.
 * Resilient to DPI (including active probing, see `hidden_domain` option for authentication providers)
 * Connecting via upstream HTTP(S)/SOCKS5 proxies (proxy chaining)
 * systemd socket activation
+* [Proxy protocol](https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt) support for working behind a reverse proxy (HAProxy, Nginx)
 * Scripting with JavaScript:
   * Access filter by JS function
   * Upstream proxy selection by JS function
@@ -87,6 +88,48 @@ Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from LetsEncrypt on p
 dumbproxy -bind-address :443 -auth 'static://?username=admin&password=123456' -autocert
 ```
 
+### Example: HTTP proxy over TLS (pre-issued cert) behind Nginx reverse proxy performing SNI routing
+
+Run HTTPS proxy (HTTP proxy over TLS) with pre-issued cert listening proxy protocol on localhost's 10443 with `Basic` authentication (users and passwords in /etc/dumbproxy.htpasswd)):
+
+```sh
+dumbproxy \
+	-bind-address 127.0.0.1:10443 \
+	-proxyproto \
+	-auth basicfile://?path=/etc/dumbproxy.htpasswd \
+	-cert=/etc/letsencrypt/live/proxy.example.com/fullchain.pem \
+	-key=/etc/letsencrypt/live/proxy.example.com/privkey.pem
+```
+
+Nginx config snippet:
+
+```
+stream
+{
+	ssl_preread on;
+
+	map $ssl_preread_server_name $backend
+	{
+		proxy.example.com dumbproxy;
+		...
+	}
+
+	upstream dumbproxy
+	{
+		server 127.0.0.1:10443;
+	}
+
+	server
+	{
+		listen 443;
+		listen [::]:443;
+		proxy_protocol on;
+		proxy_pass $backend;
+	}
+
+}
+```
+
 ### Example: HTTP proxy over TLS (BuyPass automatic certs)
 
 Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from BuyPass on port 443 with `Basic` authentication with username `admin` and password `123456`:
@@ -311,6 +354,8 @@ Usage of /home/user/go/bin/dumbproxy:
     	restrict autocert domains to this comma-separated list
   -bind-address string
     	HTTP proxy listen address. Set empty value to use systemd socket activation. (default ":8080")
+  -proxyproto
+      listen proxy protocol
   -bind-pprof string
     	enables pprof debug endpoints
   -bind-reuseport

diff --git a/go.mod b/go.mod
@@ -27,6 +27,7 @@ require (
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/pires/go-proxyproto v0.8.0
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect

diff --git a/go.sum b/go.sum
@@ -34,6 +34,8 @@ github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kK
 github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/libp2p/go-reuseport v0.4.0 h1:nR5KU7hD0WxXCJbmw7r2rhRYruNRl2koHw8fQscQm2s=
 github.com/libp2p/go-reuseport v0.4.0/go.mod h1:ZtI03j/wO5hZVDFo2jKywN6bYKWLOy8Se6DrI2E1cLU=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=

diff --git a/main.go b/main.go
@@ -37,6 +37,7 @@ import (
 	"github.com/SenseUnit/dumbproxy/forward"
 	"github.com/SenseUnit/dumbproxy/handler"
 	clog "github.com/SenseUnit/dumbproxy/log"
+	proxyproto "github.com/pires/go-proxyproto"
 )
 
 var (
@@ -255,6 +256,7 @@ type CLIArgs struct {
 	jsAccessFilter            string
 	jsAccessFilterInstances   int
 	jsProxyRouterInstances    int
+	proxyproto                bool
 }
 
 func parse_args() CLIArgs {
@@ -350,6 +352,7 @@ func parse_args() CLIArgs {
 		args.proxy = append(args.proxy, proxyArg{false, p})
 		return nil
 	})
+	flag.BoolVar(&args.proxyproto, "proxyproto", false, "listen proxy protocol")
 	flag.Parse()
 	args.positionalArgs = flag.Args()
 	return args
@@ -558,6 +561,11 @@ func run() int {
 		listener = newListener
 	}
 
+	if args.proxyproto {
+		mainLogger.Info("Listening proxy protocol")
+		listener = &proxyproto.Listener{Listener: listener}
+	}
+
 	if args.cert != "" {
 		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
 			args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)