View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005306 | unreal | ircd | public | 2019-05-27 10:34 | 2024-09-23 12:09 |
| Reporter | daurnimator | Assigned To | syzop | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | acknowledged | Resolution | open | ||
| Product Version | 4.2.3 | ||||
| Summary | 0005306: Support PROXY protocol used by TCP load balancers | ||||
| Description | Many TCP load balancers support the PROXY protocol to pass along client IP information at the start of a connection. UnrealIRCD should support for trusting the PROXY data and using the provided client IP for connection throttling and ident. Docs can be found here: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ | ||||
| Additional Information | We're trying to deploy unrealircd inside of kubernetes, and struggling to expose it. Support for PROXY would unblock us. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Better link about the PROXY protocol: https://www.haproxy.com/blog/haproxy/proxy-protocol/ |
|
|
It's important to note that there's multiple versions of the proxy protocol and I believe the versions are incompatible with each other. While I'd like for both to eventually be supported, as I believe DigitalOcean - our provider - will eventually offer support for both (and it would help enable more information about the socket, such as whether or not the connection is secure), version 1 is the one that we're needing to target, judging by this post: https://blog.digitalocean.com/load-balancers-now-support-proxy-protocol/. |
|
|
Specification about the protocol: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt |
|
|
I can easily add support for the v1 protocol very quickly (say, this week, if necessary). The v2 protocol will be more work and is likely more something for UnrealIRCd 5 (later this year). So if you can live with v1, then yeah, I can provide that soon. Let me know how that sounds. |
|
|
Sounds good to me. |
|
|
Good, I'll work on it on Thursday. |
|
|
Would you mind testing a proof of concept? Simply overwrite your existing webirc.c module from UnrealIRCd 4.2.3 and recompile. So: cd unrealircd-4.2.3 wget -O src/modules/webirc.c https://www.unrealircd.org/downloads/webirc.c make make install Then put the following in your configuration file:
webirc { mask *; type proxy; };
And restart (or just rehash) UnrealIRCd Naturally, you will need to make the mask more specific to trust only your proxy IP range, the mask * will accept PROXY from any IP address. I tested it with NGINX and it works. Note that it does not resolve IP's to hostnames at this time. It's just a proof of concept. |
|
|
I have updated the URL. Installation instructions are still the same as above. This is pretty much the final version for the v1 protocol. It handles the PROXY request and does DNS and ident lookups. Please let me know any success / failure stories. Thanks! |
|
|
I think this works with SSL incorrectly: for an SSL connection, the `PROXY` occurs outside the SSL. (as the first thing in the TCP connection) |
|
|
Mass umarking of 'assigned' issues that have been lingering (timed out), as it likely means it is not being worked on anymore. Setting back to 'acknowledged'. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2019-05-27 10:34 | daurnimator | New Issue | |
| 2019-05-27 10:37 | daurnimator | Note Added: 0020699 | |
| 2019-05-27 14:22 | RyanSquared | Note Added: 0020700 | |
| 2019-05-27 14:32 | RyanSquared | Note Added: 0020701 | |
| 2019-05-27 14:53 | syzop | Note Added: 0020702 | |
| 2019-05-28 07:55 | daurnimator | Note Added: 0020703 | |
| 2019-05-28 19:33 | syzop | Note Added: 0020706 | |
| 2019-05-28 19:33 | syzop | Assigned To | => syzop |
| 2019-05-28 19:33 | syzop | Status | new => assigned |
| 2019-05-29 17:25 | syzop | Note Added: 0020709 | |
| 2019-05-30 06:58 | syzop | Note Added: 0020712 | |
| 2019-06-10 11:57 | daurnimator | Note Added: 0020727 | |
| 2020-01-10 08:40 | syzop | Status | assigned => acknowledged |
| 2020-01-10 08:40 | syzop | Note Added: 0021216 | |
| 2024-09-23 12:09 | syzop | Relationship added | has duplicate 0006446 |
