View Issue Details

IDProjectCategoryView StatusLast Update
0005306unrealircdpublic2019-06-10 11:57
ReporterdaurnimatorAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityN/A
Status assignedResolutionopen 
Product Version4.2.3 
Target VersionFixed in Version 
Summary0005306: Support PROXY protocol used by TCP load balancers
DescriptionMany TCP load balancers support the PROXY protocol to pass along client IP information at the start of a connection.
UnrealIRCD should support for trusting the PROXY data and using the provided client IP for connection throttling and ident.

Docs can be found here: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
Additional InformationWe're trying to deploy unrealircd inside of kubernetes, and struggling to expose it. Support for PROXY would unblock us.
TagsNo tags attached.
3rd party modules

Activities

daurnimator

2019-05-27 10:37

reporter   ~0020699

Better link about the PROXY protocol: https://www.haproxy.com/blog/haproxy/proxy-protocol/

RyanSquared

2019-05-27 14:22

reporter   ~0020700

It's important to note that there's multiple versions of the proxy protocol and I believe the versions are incompatible with each other. While I'd like for both to eventually be supported, as I believe DigitalOcean - our provider - will eventually offer support for both (and it would help enable more information about the socket, such as whether or not the connection is secure), version 1 is the one that we're needing to target, judging by this post: https://blog.digitalocean.com/load-balancers-now-support-proxy-protocol/.

RyanSquared

2019-05-27 14:32

reporter   ~0020701

Specification about the protocol: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

syzop

2019-05-27 14:53

administrator   ~0020702

I can easily add support for the v1 protocol very quickly (say, this week, if necessary). The v2 protocol will be more work and is likely more something for UnrealIRCd 5 (later this year).

So if you can live with v1, then yeah, I can provide that soon. Let me know how that sounds.

daurnimator

2019-05-28 07:55

reporter   ~0020703

Sounds good to me.

syzop

2019-05-28 19:33

administrator   ~0020706

Good, I'll work on it on Thursday.

syzop

2019-05-29 17:25

administrator   ~0020709

Would you mind testing a proof of concept?

Simply overwrite your existing webirc.c module from UnrealIRCd 4.2.3 and recompile.

So:
cd unrealircd-4.2.3
wget -O src/modules/webirc.c https://www.unrealircd.org/downloads/webirc.c
make
make install


Then put the following in your configuration file:
webirc { mask *; type proxy; };


And restart (or just rehash) UnrealIRCd

Naturally, you will need to make the mask more specific to trust only your proxy IP range, the mask * will accept PROXY from any IP address.

I tested it with NGINX and it works. Note that it does not resolve IP's to hostnames at this time. It's just a proof of concept.

syzop

2019-05-30 06:58

administrator   ~0020712

I have updated the URL. Installation instructions are still the same as above.

This is pretty much the final version for the v1 protocol. It handles the PROXY request and does DNS and ident lookups.

Please let me know any success / failure stories. Thanks!

daurnimator

2019-06-10 11:57

reporter   ~0020727

I think this works with SSL incorrectly: for an SSL connection, the `PROXY` occurs outside the SSL. (as the first thing in the TCP connection)

Issue History

Date Modified Username Field Change
2019-05-27 10:34 daurnimator New Issue
2019-05-27 10:37 daurnimator Note Added: 0020699
2019-05-27 14:22 RyanSquared Note Added: 0020700
2019-05-27 14:32 RyanSquared Note Added: 0020701
2019-05-27 14:53 syzop Note Added: 0020702
2019-05-28 07:55 daurnimator Note Added: 0020703
2019-05-28 19:33 syzop Note Added: 0020706
2019-05-28 19:33 syzop Assigned To => syzop
2019-05-28 19:33 syzop Status new => assigned
2019-05-29 17:25 syzop Note Added: 0020709
2019-05-30 06:58 syzop Note Added: 0020712
2019-06-10 11:57 daurnimator Note Added: 0020727