Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proxyprotocol: use github.com/pires/go-proxyproto #5915

Merged
merged 6 commits into from
Dec 13, 2023

Conversation

mohammed90
Copy link
Member

Further enhancements can be added later, e.g. advanced allow/denylist policies.

I'll test it out soon, unless someone beats me to the test.

@mohammed90 mohammed90 added under review 🧐 Review is pending before merging dependencies ⛓️ Pull requests that update a dependency file labels Oct 24, 2023
@francislavoie
Copy link
Member

/cc @Embraser01 @KorvinSzanto if you'd like to test this

Co-authored-by: Francis Lavoie <[email protected]>
@francislavoie francislavoie added this to the v2.9.0 milestone Oct 24, 2023
@francislavoie
Copy link
Member

The code looks good to me. Glad we could retain the same options as-is!

Copy link
Member

@WeidiDeng WeidiDeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nitpicks only, LGTM.

@@ -39,31 +38,29 @@ type ListenerWrapper struct {
// allow/require PROXY headers from.
Allow []string `json:"allow,omitempty"`

rules []proxyprotocol.Rule
policies []goproxy.PolicyFunc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why store this in a slice when there can be one func at once? proxyproto takes a slice of IP address and return a function. There is no need to store it in a slice.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's my attempt at future-proofing. proxyproto has a selection of policies. We can also build more as long as they conform to the PolicyFunc type. My thinking is we could expand the implementation later to unionize policies.

ReadHeaderTimeout: time.Duration(pp.Timeout),
}
if len(pp.policies) > 0 {
pl.Policy = pp.policies[0]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just use a field of type PolicyFunc and assign it here.

@KorvinSzanto
Copy link

This does seem to resolve #5863 for me.

@Embraser01
Copy link
Member

Embraser01 commented Oct 25, 2023

🎉 Can confirm it works as well as the one we made over at https://github.com/caddyserver/ingress/tree/master/pkg/proxy.

I created a PR to replace it by this one once merged and released

Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks for testing it out.

This is an elegant change. Once Weidi's comments are considered (or replied to) I'm good with merging this. Thank you @mohammed90 !!

@mohammed90
Copy link
Member Author

🎉 Can confirm it works as well as the one we made over at https://github.com/caddyserver/ingress/tree/master/pkg/proxy.

I created a PR to replace it by this one once merged and released

@Embraser01, I see your implementation uses the REQUIRE policy, while this PR goes with USE. Should I expose this configuration option?

@Embraser01
Copy link
Member

🎉 Can confirm it works as well as the one we made over at caddyserver/ingress@master/pkg/proxy.

I created a PR to replace it by this one once merged and released

@Embraser01, I see your implementation uses the REQUIRE policy, while this PR goes with USE. Should I expose this configuration option?

It could be nice to expose this option as some user may want to force proxy protocol. Currently the ingress controller doesn't let choose between those modes but I think it should probably be USE by default (don't remember why I set it up to REQUIRE)

Copy link
Member

@WeidiDeng WeidiDeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing major except for the possible unix socket bug. I prefer to use the new netip types if possible.

modules/caddyhttp/proxyprotocol/policy.go Show resolved Hide resolved
modules/caddyhttp/proxyprotocol/listenerwrapper.go Outdated Show resolved Hide resolved
modules/caddyhttp/proxyprotocol/listenerwrapper.go Outdated Show resolved Hide resolved
@WeidiDeng
Copy link
Member

WeidiDeng commented Nov 4, 2023

LGTM, :shipit: .

@mholt mholt merged commit dc12bd9 into master Dec 13, 2023
23 checks passed
@mholt mholt deleted the switch-proxyprotocol-lib branch December 13, 2023 16:07
@mholt mholt removed the under review 🧐 Review is pending before merging label Dec 13, 2023
tianze0926 added a commit to tianze0926/caddy that referenced this pull request Dec 20, 2023
* templates: Fix httpInclude (fix caddyserver#5698)

Allowable during feature freeze because this is a simple, non-invasive
bug fix only.

* ci: Use gofumpt to format code (caddyserver#5707)

* go.mod: Upgrade golang.org/x/net to 0.14.0 (caddyserver#5718)

* ci: Add riscv64 (64-bit RISC-V) to goreleaser (caddyserver#5720)

This will add 64-bit RISC-V Linux prebuilts for Caddy.

* ci: Update to Go 1.21 (caddyserver#5719)

* ci: Update to Go 1.21

* Bump quic-go to v0.37.4

* Check EnableFullDuplex err

* Linter bug suppression

See timakin/bodyclose#52

---------

Co-authored-by: Francis Lavoie <[email protected]>

* fileserver: Don't repeat error for invalid method inside error context (caddyserver#5705)

* caddytls: Update docs for on-demand config

* Fix tests

I thought Go ordered JSON objects when marshaling, but I guess not.

* cmd: Require config for caddy validate (fix caddyserver#5612) (caddyserver#5614)

* Require config for caddy validate - fixes caddyserver#5612

Signed-off-by: Pistasj <[email protected]>

* Try making adjacent Caddyfile check its own function

Signed-off-by: Pistasj <[email protected]>

* add Francis' suggestion

Co-authored-by: Francis Lavoie <[email protected]>

* Refactor

* Fix borked commit, sigh

---------

Signed-off-by: Pistasj <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: Matthew Holt <[email protected]>

* fileserver: Slightly more fitting icons

* ci: use gci linter (caddyserver#5708)

* use gofmput to format code

* use gci to format imports

* reconfigure gci

* linter autofixes

* rearrange imports a little

* export GOOS=windows golangci-lint run ./... --fix

* reverseproxy: Always return new upstreams (fix caddyserver#5736) (caddyserver#5752)

* reverseproxy: Always return new upstreams (fix caddyserver#5736)

* Fix healthcheck logger race

* go.mod: Upgrade CertMagic and quic-go

* fix package typo (caddyserver#5764)

Signed-off-by: guoguangwu <[email protected]>

* fileserver: docs: clarify the ability to produce JSON array with `browse` (caddyserver#5751)

* caddyfile: Loosen heredoc parsing (caddyserver#5761)

* httpcaddyfile: Stricter errors for site and upstream address schemes (caddyserver#5757)

Co-authored-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* update quic-go to v0.37.6 (caddyserver#5767)

* caddyfile: Adjust error formatting (caddyserver#5765)

* replacer: change timezone to UTC for "time.now.http" placeholders (caddyserver#5774)

* chore: Appease gosec linter (caddyserver#5777)

These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.

* go.mod: Update quic-go to v0.38.0 (caddyserver#5772)

* go.mod: Update quic-go to v0.38.0

* run "go mod tidy"

---------

Co-authored-by: Matt Holt <[email protected]>

* caddyfile: Fix case where heredoc marker is empty after newline (caddyserver#5769)

Fixes `panic: runtime error: slice bounds out of range [:3] with capacity 2`

Co-authored-by: Matt Holt <[email protected]>

* ci: ensure short-sha is exported correctly on all platforms (caddyserver#5781)

* fileserver: Export BrowseTemplate

This allows programs embedding Caddy to customize the browse template.

* logging: Clone array on log filters, prevent side-effects (caddyserver#5786)

Fixes https://caddy.community/t/is-caddy-mutating-header-content-from-logging-settings/20947

* logging: query filter for array of strings (caddyserver#5779)

Co-authored-by: Matt Holt <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* ci: Run govulncheck (caddyserver#5790)

* feat(ci): check vuln Go mods in CI

* fix(ci): correct directive for govulncheck

* refactor(ci): move govulncheck to lint.yml

* refactor(lint): move govulncheck to different job

* cmd: Prevent overwriting existing env vars with `--envfile` (caddyserver#5803)

Co-authored-by: Francis Lavoie <[email protected]>

* httpcaddyfile: fix placeholder shorthands in named routes (caddyserver#5791)

Co-authored-by: Francis Lavoie <[email protected]>

* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (caddyserver#5811)

fix a nil pointer dereference in AUpstreams.GetUpstreams when AUpstreams.Versions is not set (fixes caddyserver#5809)

Signed-off-by: Pascal Vorwerk <[email protected]>

* fileserver: browse template SVG icons and UI tweaks (caddyserver#5812)

* fileserver browse.html UI tweaks: folder-symlink icon, search

fileserver browse.html UI tweaks: folder-symlink icon, search

- ui - add folder-symlink SVG icon
- search: use `<input type="search">` instead of `text`
- fix npe with `sizebar.style.width` = null in grid mode

* tabify whitespace

Co-authored-by: Francis Lavoie <[email protected]>

---------

Co-authored-by: Francis Lavoie <[email protected]>

* caddyhttp: Use LimitedReader for HTTPRedirectListener

* build(deps): bump actions/checkout from 3 to 4 (caddyserver#5846)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump goreleaser/goreleaser-action from 4 to 5 (caddyserver#5847)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: caddytest.AssertResponseCode error message (caddyserver#5853)

* reverseproxy: Allow fallthrough for response handlers without routes (caddyserver#5780)

* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (caddyserver#5845)

* Enhancement: Allow X-Forwarded-For Header in httpInclude Virtual Requests

The goal of this enhancement is to modify the funcHTTPInclude function in the Caddy codebase to include the X-Forwarded-For header in the virtual request. This change will enable reverse proxies to set the X-Forwarded-For header, ensuring that the client's IP address is correctly provided to the target endpoint. This modification is essential for applications that depend on the X-Forwarded-For header for various functionalities, such as authentication, logging, or content customization.

* Updated tplcontext.go - set `virtReq.RemoteAddr = "127.0.0.1"`

i have made the suggested changes

* Apply suggestions from code review

* Update modules/caddyhttp/templates/tplcontext.go

---------

Co-authored-by: Francis Lavoie <[email protected]>

* go.mod: Upgrade dependencies incl. x/net/http

Possibly important for the HTTP/2 Rapid Reset issue.

* fileserver: Add command shortcuts `-l` and `-a` (caddyserver#5854)

* encode: Add `application/wasm*` to the default content types (caddyserver#5869)

* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (caddyserver#5808)

* reverseproxy: Fix retries on "upstreams unavailable" error (caddyserver#5841)

* reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (caddyserver#5828)

* cmd: Fix exiting with custom status code, add `caddy -v` (caddyserver#5874)

* Simplify variables for commands

* Add --envfile support for adapt command

* Carry custom status code for commands to os.Exit()

* cmd: add `-v` and `--version` to root caddy command

* Add `--envfile` to `caddy environ`, extract flag parsing to func

---------

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (caddyserver#5860)

* httpcaddyfile: Sort TLS SNI matcher, for deterministic adapt output

* Update caddyconfig/httpcaddyfile/httptype.go

---------

Co-authored-by: Matt Holt <[email protected]>

* reverseproxy: Replace health header placeholders (caddyserver#5861)

* reverseproxy: Add logging for dynamic A upstreams (caddyserver#5857)

* reverseproxy: Fix `least_conn` policy regression (caddyserver#5862)

* reverseproxy: Add more debug logs (caddyserver#5793)

* reverseproxy: Add more debug logs

This makes debug logging very noisy when reverse proxying, but I guess
that's the point.

This has shown to be useful in troubleshooting infrastructure issues.

* Update modules/caddyhttp/reverseproxy/streaming.go

Co-authored-by: Francis Lavoie <[email protected]>

* Update modules/caddyhttp/reverseproxy/streaming.go

Co-authored-by: Francis Lavoie <[email protected]>

* Add opt-in `trace_logs` option

* Rename to VerboseLogs

---------

Co-authored-by: Francis Lavoie <[email protected]>

* tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (caddyserver#5852)

… when compiled with cfgo (https://github.com/cloudflare/go).

* fileserver: Set canonical URL on browse template (caddyserver#5867)

* Browse.html: Add canonical URL and home-link

When contents are equal, but maybe just a sort order is different, it is good to add `<link rel="canonical" href="base-path/" />`. This helps search engines propeely index the page.

I also added a link to the home page with the name of `{{.Host}}` just above the bread crumbs to make the page clearer.

https://paste.tnonline.net/files/28Wun5CQZiqA_Screenshot_20231007_134435_Opera.png

* Update browse.html

* ci: Force the Go version for govulncheck (caddyserver#5879)

* admin: Respond with 4xx on non-existing config path (caddyserver#5870)

Co-authored-by: Matt Holt <[email protected]>

* caddyfile: Fix variadic placeholder false positive when token contains `:` (caddyserver#5883)

* cmd: upgrade: resolve symlink of the executable (caddyserver#5891)

* httpcaddyfile: Fix TLS automation policy merging with get_certificate (caddyserver#5896)

* templates: Clarify `include` args docs, add `.ClientIP` (caddyserver#5898)

* core: quic listener will manage the underlying socket by itself (caddyserver#5749)

* core: quic listener will manage the underlying socket by itself.

* format code

* rename sharedQUICTLSConfig to sharedQUICState, and it will now manage the number of active requests

* add comment

* strict unwrap type

* fix unwrap

* remove comment

* cmd: Add newline character to version string in CLI output (caddyserver#5895)

* caddyhttp: Use sync.Pool to reduce lengthReader allocations (caddyserver#5848)

* Use sync.Pool to reduce lengthReader allocations

Signed-off-by: Harish Shan <[email protected]>

* Add defer putLengthReader to prevent leak

Signed-off-by: Harish Shan <[email protected]>

* Cleanup in putLengthReader

Co-authored-by: Francis Lavoie <[email protected]>

---------

Signed-off-by: Harish Shan <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* core: Apply SO_REUSEPORT to UDP sockets (caddyserver#5725)

* core: Apply SO_REUSEPORT to UDP sockets

For some reason, 10 months ago when I implemented SO_REUSEPORT
for TCP, I didn't realize, or forgot, that it can be used for UDP too. It is a
much better solution than using deadline hacks to reuse a socket, at
least for TCP.

Then mholt/caddy-l4#132 was posted,
in which we see that UDP servers never actually stopped when the
L4 app was stopped. I verified this using this command:

    $ nc -u 127.0.0.1 55353

combined with POSTing configs to the /load admin endpoint (which
alternated between an echo server and a proxy server so I could tell
which config was being used).

I refactored the code to use SO_REUSEPORT for UDP, but of course
we still need graceful reloads on all platforms, not just Unix, so I
also implemented a deadline hack similar to what we used for
TCP before. That implementation for TCP was not perfect, possibly
having a logical (not data) race condition; but for UDP so far it
seems to be working. Verified the same way I verified that SO_REUSEPORT
works.

I think this code is slightly cleaner and I'm fairly confident this code
is effective.

* Check error

* Fix return

* Fix var name

* implement Unwrap interface and clean up

* move unix packet conn to platform specific file

* implement Unwrap for unix packet conn

* Move sharedPacketConn into proper file

* Fix Windows

* move sharedPacketConn and fakeClosePacketConn to proper file

---------

Co-authored-by: Weidi Deng <[email protected]>

* httpcaddyfile: Remove port from logger names (caddyserver#5881)

Co-authored-by: Matt Holt <[email protected]>

* templates: Delete headers on `httpError` to reset to clean slate (caddyserver#5905)

* go.mod: CVE-2023-45142 Update opentelemetry (caddyserver#5908)

* go.mod: Upgrade quic-go to v0.39.1

* caddyhttp: Adjust `scheme` placeholder docs (caddyserver#5910)

* Upgrade acmeserver to github.com/go-chi/chi/v5 (caddyserver#5913)

This commit upgrades the router used in the acmeserver to
github.com/go-chi/chi/v5. In the latest release of step-ca, the router
used by certificates was upgraded to that version.

Fixes caddyserver#5911

Signed-off-by: Mariano Cano <[email protected]>

* test: acmeserver: add smoke test for the ACME server directory (caddyserver#5914)

* chore: Fix usage pool comment (caddyserver#5916)

* update quic-go to v0.39.3 (caddyserver#5918)

* go.mod: update quic-go version to v0.40.0 (caddyserver#5922)

* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations (caddyserver#5848)" (caddyserver#5924)

* fileserver: Add .m4v for browse template icon

* httpredirectlistener: Only set read limit for when request is HTTP (caddyserver#5917)

* chore: Bump otel to v1.21.0. (caddyserver#5949)

Signed-off-by: Dan Lorenc <[email protected]>

* panic when reading from backend failed to propagate stream error (caddyserver#5952)

* http2 uses new round-robin scheduler (caddyserver#5946)

* templates: Offically make templates extensible (caddyserver#5939)

* templates: Offically make templates extensible

This supercedes caddyserver#4757 (and caddyserver#4568) by making template extensions
configurable.

The previous implementation was never documented AFAIK and had only
1 consumer, which I'll notify as a courtesy.

* templates: Add 'maybe' function for optional components

* Try to fix lint error

* tls: accept placeholders in string values of certificate loaders (caddyserver#5963)

* tls: loader: accept placeholders in string values

* appease the linter

* caddytls: Context to DecisionFunc (caddyserver#5923)

See caddyserver/certmagic#255

* caddytls: Sync distributed storage cleaning (caddyserver#5940)

* caddytls: Log out remote addr to detect abuse

* caddytls: Sync distributed storage cleaning

* Handle errors

* Update certmagic to fix tiny bug

* Split off port when logging remote IP

* Upgrade CertMagic

* chore: cross-build for AIX (caddyserver#5971)

* core: Always make AppDataDir for InstanceID (caddyserver#5976)

* cmd: Preserve LastModified date when exporting storage (caddyserver#5968)

* proxyprotocol: use github.com/pires/go-proxyproto (caddyserver#5915)

* proxyprotocol: use github.com/pires/go-proxyproto

* Fix typo: r/generelly/generally

Co-authored-by: Francis Lavoie <[email protected]>

* add config options for `Deny` CIDR and fallback policy

* use `netip` package & trust unix sockets

---------

Co-authored-by: Francis Lavoie <[email protected]>

* caddyhttp: Add `uuid` to access logs when used (caddyserver#5859)

* fileserver: New --precompressed flag (caddyserver#5880)

exposes the file_server precompressed functionality to be used with the
file-server command

Co-authored-by: Matt Holt <[email protected]>

* fileserver: Enable compression for command by default (caddyserver#5855)

* feat: enable compression for file-server

* refactor

* const

* Update help text

* Update modules/caddyhttp/fileserver/command.go

---------

Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: Matt Holt <[email protected]>

* go.mod: Updated quic-go to v0.40.1 (caddyserver#5983)

* metrics: Record request metrics on HTTP errors (caddyserver#5979)

* httpcaddyfile: Sort skip_hosts for deterministic JSON (caddyserver#5990)

* httpcaddyfile: Sort skip_hosts for deterministic JSON

* Update caddyconfig/httpcaddyfile/httptype.go

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* Fix test

* Bah

---------

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* logging: Add `zap.Option` support (caddyserver#5944)

* cmd: use automaxprocs for better perf in containers (caddyserver#5711)

* feat: use automaxprocs for better perf in containers

* better logs

* cs

* build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (caddyserver#5994)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0.
- [Commits](golang/crypto@v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: Pistasj <[email protected]>
Signed-off-by: guoguangwu <[email protected]>
Signed-off-by: Pascal Vorwerk <[email protected]>
Signed-off-by: Harish Shan <[email protected]>
Signed-off-by: Mariano Cano <[email protected]>
Signed-off-by: Dan Lorenc <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Matthew Holt <[email protected]>
Co-authored-by: Jacob Gadikian <[email protected]>
Co-authored-by: Shyim <[email protected]>
Co-authored-by: Aaron Dewes <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: pistasjis <[email protected]>
Co-authored-by: guangwu <[email protected]>
Co-authored-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Karun Agarwal <[email protected]>
Co-authored-by: Marten Seemann <[email protected]>
Co-authored-by: WeidiDeng <[email protected]>
Co-authored-by: Paul Jeannot <[email protected]>
Co-authored-by: Đỗ Trọng Hải <[email protected]>
Co-authored-by: Evan Van Dam <[email protected]>
Co-authored-by: Pascal Vorwerk <[email protected]>
Co-authored-by: glowinthedark <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kévin Dunglas <[email protected]>
Co-authored-by: Patrick Koenig <[email protected]>
Co-authored-by: Thanmay Nath <[email protected]>
Co-authored-by: Christoph <[email protected]>
Co-authored-by: Fred Cox <[email protected]>
Co-authored-by: Bas Westerbaan <[email protected]>
Co-authored-by: Forza <[email protected]>
Co-authored-by: Norman Soetbeer <[email protected]>
Co-authored-by: Harish Shan <[email protected]>
Co-authored-by: Ethan Brown (Domino) <[email protected]>
Co-authored-by: Mariano Cano <[email protected]>
Co-authored-by: dlorenc <[email protected]>
Co-authored-by: Andreas Kohn <[email protected]>
Co-authored-by: Benjamin Marwell <[email protected]>
Co-authored-by: Aziz Rmadi <[email protected]>
Co-authored-by: Jens-Uwe Mager <[email protected]>
Co-authored-by: David DeMoss <[email protected]>
Co-authored-by: Tim Geoghegan <[email protected]>
Comment on lines +17 to +18
// USE address from PROXY header
PolicyUSE
Copy link

@TimWolla TimWolla Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't do Caddy and I only do the bare minimum of Go. This came to my attention via haproxy/haproxy#2450 and if I understand the code correctly, the USE policy is a footgun will result in security vulnerabilities, as per my comment on the HAProxy issue. My understanding is that it uses the PROXY header if one is sent and does not use it, if it is missing, allowing a malicious client to add the PROXY header itself if a gateway in front of Caddy is trusted, but does not add the PROXY header for whatever reason.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also find REJECT somewhat questionable, because it effectively is SKIP, but worse: It would reject a connection if the first few bytes of the connection happen to match a valid PROXY header by chance, instead of just passing it to the underlying protocol handler.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the user knows their Caddy instance is accessible on public networks, they should configure allow to limit PROXY protocol to only those IP ranges.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would reject a connection if the first few bytes of the connection happen to match a valid PROXY header by chance, instead of just passing it to the underlying protocol handler.

We're only concerned with HTTP and TLS in this case, so that's not a concern. We have a different implementation for https://github.com/mholt/caddy-l4 which allows any TCP/UDP traffic.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the user knows their Caddy instance is accessible on public networks, they should configure allow to limit PROXY protocol to only those IP ranges.

My understanding is that the allow configuration option sets the USE policy for a given client as per

https://github.com/caddyserver/caddy/pull/5915/files#diff-39cd21a1e121836c0740aa16ed05549fb146c932b9c0f93f5409a6ccb902c0a9R92-R97

Now consider the following:

  1. I configure allow 10.10.10.10 to preserve IP addresses from my trusted gateway running at 10.10.10.10.
  2. This configures the USE policy, which to my understanding takes the client information from the PROXY header if present and accepts the connection without doing anything special if the PROXY header is not present.
  3. My trusted gateway at 10.10.10.10 does not add the PROXY header for whatever reason (bug, configuration mistake, ...).
  4. Now a malicious client could connect to my trusted gateway at 10.10.10.10 and prepend a valid PROXY header to their request. This PROXY header would be forwarded as-is to Caddy and then accepted.

If instead the REQUIRE policy would be configured, I would notice at step (3), because all connections from my trusted gateway would be rejected as the PROXY header is missing, thus alerting my monitoring.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for coming late to this discussion. The long-winded discussion is getting me lost. It's also hard to follow as it's going on multiple links covering multiple related yet separate subjects and multiple technologies.
Is the summary:

  • REQUIRE and SKIP are blessed, good, and safe to keep
  • all the others are recommended to be removed and considered unsafe
    ?

Copy link

@polarathene polarathene May 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

The long-winded discussion is getting me lost. It's also hard to follow as it's going on multiple links covering multiple related yet separate subjects and multiple technologies.

I believe I summarized the whole discussion here: mholt/caddy-l4#176 (comment)

From what I can tell there was a miscommunication with the vulnerability concern raised.
At least with the present discussion, there is still no clear justification that a trust policy cannot apply to a host where the PROXY header is optional.

...projects that had flexible policies that conflicted with the specification (which appears acceptable to an extent from their response, thus the specification probably needs an update).

with additional clarification in a collapsed details block:

In the example we've been discussing, the concern appears more to do with the trusted host (Traefik) being hands-off with PROXY protocol, such that a malicious client can provide their own PROXY protocol header that Traefik simply forwards to Caddy that trusts all connections to the Caddy server port from Traefik.

  • Correct fix and prevention is to ensure Traefik does not allow untrusted clients to sneak in their own PROXY protocol header.
  • Configuration issue of the trusted host, nothing to do with Caddy allowing the PROXY header to be optional for a trusted host.

I then expand a bit on policy concerns, but wrap it up with:

If REQUIRE were a default, but the user wanted Caddy to have USE for supporting connections to Caddy that don't / can't provide the PROXY header, all that's required in this vulnerable Traefik configuration is to ensure it uses IGNORE for untrusted clients (I will raise a bug report as their docs don't communicate the default behaviour doesn't check for a PROXY header at all).

I don't think I got around to raising that bug report. I had been preparing one but my browser crashed.


Traefik example

This was months ago so I can't quite recall all the details and don't have time to refresh my memory 😓 (below is based off recall of past discussion, I may slip up)

The default with Traefik for Layer 4 traffic forwarding (the only concern here) is to blindly forward IIRC.

  • Traefik will not apply any PROXY protocol inspection unless it's configured to do so (which was a concern that @TimWolla expressed when the inbound traffic may on the off-chance by coincidence have something that appears to be PROXY protocol header, thus Traefik avoids making this assumption by default).
  • When you have external traffic for Traefik to forward and the original IP needs to be kept due to some other load balancer / proxy in front of Traefik, then you need PROXY protocol at this Traefik entrypoint. This is separate from Traefik's routers that inject / prepend their own PROXY protocol (again when configured to do so), where traffic could be handed over to Caddy.

For clarity with the Traefik example:

  • Inbound connection (client to Traefik) => (is it a trusted proxy? apply a PROXY protocol policy) => Route to outbound
  • Outbound connection (Traefik to service, eg Caddy) => (if configured to, add a PROXY protocol header with the IP traefik associates to the client) => Traffic forwarded to service

It's similar for Caddy, but I use Traefik due to the Layer 4 support for both inbound and outbound, as that is where PROXY protocol applies. Layer 4 is a little bit muddy with Caddy IIRC which is presently more oriented around Layer 7 for the most part (unless using the L4 plugin).


Keep USE

all the others are recommended to be removed and considered unsafe

Disagree, USE is valid.

TL;DR is a third-party that is misconfigured allows for an exploit of trust when you have a more relaxed policy. That's not a reason to remove support for USE.


No opinion on the others as I was focused on a scenario with a trusted proxy (Traefik) that didn't forward PROXY protocol headers from it's own inbound connections (Traefik entrypoint), ensuring that PROXY protocol header was only provided to Caddy when appropriate (a connection that could not use a Layer 7 router).

If you're going to remove a policy because it's considered unsafe, please demonstrate an understanding of why it's unsafe. A firewall or anti-virus can be disabled and make a system vulnerable, that doesn't mean it shouldn't be possible to opt-out. AFAIK the whole debate was around a misconfigured deployment, misconfigurations causing vulnerabilities aren't surprising.

Copy link

@TimWolla TimWolla May 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mohammed90

Is the summary:

REQUIRE and SKIP are blessed, good, and safe to keep
all the others are recommended to be removed and considered unsafe
?

  • REQUIRE is safe.
  • SKIP is safe.
  • IGNORE is unsafe.
  • USE is unsafe.
  • REJECT is unsafe.

@polarathene With all due respect, you are misrepresenting the situation and I won't go through this once more with you.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correction, looking at the code: IGNORE is also unsafe (it's a worse version of USE).

Copy link

@polarathene polarathene May 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TL;DR: USE can be used securely 🙄

  • I just doubt anyone else cares enough to verify my demonstration of that (and I don't blame them),
  • It's not like it has to be a default policy though. Dropping support for these extra policies seems unnecessary when they have their uses.

you are misrepresenting the situation

If I had time to go through the discussion properly I would, but I believe I gave a decent reproduction example where that issue is closed with a summary and conclusion and a very verbose collapsed details block.

At a glance, here are some highlighted snippets for reference if anyone is interested:

image

image

image

image

image


It's easy to dismiss my input, but I have shown a scenario where USE is valid and useful, without the vulnerability concerns that @TimWolla raised 🤷‍♂️ :

image

That's it. That's what the big discussion was over

  • @TimWolla was focused on a concern that wasn't relevant in the configured scenario, for software he doesn't use or have familiarity with configuration wise, hence the misunderstanding / miscommunication. His concern is valid when applicable, but USE policy wasn't a vulnerability in the configuration I was seeking clarity on.
  • If you know what traffic is flowing inbound, You can choose to enforce PROXY protocol from trusted hosts, or discard / reject any connections that present a PROXY protocol header when one is not permitted.
  • Keep in mind this is an example where two reverse proxies supporting PROXY protocol are in use (Traefik handles the client connection, it has interacts with the PROXY protocol on both inbound and outbound connections, it is a trusted host to Caddy, but USE is valid for a trusted host as the client to Caddy when that trusted host is already sanitizing the real client connection)
  • In the case of Caddy, Traefik always adding a PROXY protocol header of it's own for Layer 4 traffic inbound to Caddy ensures that PROXY protocol is used correctly. If a 2nd header were even present (instead of stripped) the actual protocol negotiation such as TLS termination handled by Caddy would just fail instead.

I wrote a small program to act as a malicious client that injects it's own PROXY protocol header for the TLS connections, it could not be used to exploit a vulnerability via the scenario I argued was valid for a flexible USE policy. It would work if I had a misconfiguration, but as stated that is not something that should be surprising. If you set trusted hosts to allow anyone, you're vulnerable too 🤷‍♂️

I understand everyone is busy and my responses are frequently verbose. This topic was already concluded, the information is there for anyone that wants to spend time combing over it, I'm not interested in debating it all over again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies ⛓️ Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants