Integrate proxyproto for TCP and TLS listeners

If the connection is made from one of the trusted proxies ip addresses,
it is allowed that TCP and TLS connections contain a proxyprotocol
header to pass source connection information. This in particular allows
dns over tls behind a load balancer, while keeping source ip address
information.

Signed-off-by: Peter Verraedt <peter@verraedt.be>

Author: peterverraedt

go.mod

@@ -45,6 +45,7 @@ require (
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/jstemmer/go-junit-report/v2 v2.1.0 // indirect
 	github.com/kisielk/errcheck v1.9.0 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect

go.sum

@@ -84,6 +84,8 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=

proxy/servertcp.go

@@ -16,12 +16,14 @@ import (
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/syncutil"
 	"github.com/miekg/dns"
+
+	proxyproto "github.com/pires/go-proxyproto"
 )
 
 // initTCPListeners initializes TCP listeners with configured addresses.
 func (p *Proxy) initTCPListeners(ctx context.Context) (err error) {
 	for _, addr := range p.TCPListenAddr {
-		var ln *net.TCPListener
+		var ln net.Listener
 		ln, err = p.listenTCP(ctx, addr)
 		if err != nil {
 			return fmt.Errorf("listening on tcp addr %s: %w", addr, err)
@@ -34,7 +36,7 @@ func (p *Proxy) initTCPListeners(ctx context.Context) (err error) {
 }
 
 // listenTCP returns a new TCP listener listening on addr.
-func (p *Proxy) listenTCP(ctx context.Context, addr *net.TCPAddr) (ln *net.TCPListener, err error) {
+func (p *Proxy) listenTCP(ctx context.Context, addr *net.TCPAddr) (ln net.Listener, err error) {
 	addrStr := addr.String()
 	p.logger.InfoContext(ctx, "creating tcp server socket", "addr", addrStr)
 
@@ -60,7 +62,24 @@ func (p *Proxy) listenTCP(ctx context.Context, addr *net.TCPAddr) (ln *net.TCPLi
 
 	p.logger.InfoContext(ctx, "listening to tcp", "addr", ln.Addr())
 
-	return ln, nil
+	/*if p.TrustedProxies.Contains(prx.Addr()) {
+		p.logger.InfoContext(ctx, "proxy server is not trusted", "addr", prx.Addr())
+	}*/
+
+	return p.wrapProxyListener(ln), nil
+}
+
+func (p *Proxy) wrapProxyListener(ln net.Listener) net.Listener {
+	return &proxyproto.Listener{
+		Listener: ln,
+		ConnPolicy: func(options proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
+			if p.TrustedProxies.Contains(netutil.NetAddrToAddrPort(options.Upstream).Addr()) {
+				return proxyproto.USE, nil
+			}
+
+			return proxyproto.REJECT, nil
+		},
+	}
 }
 
 // initTLSListeners initializes TLS listeners with configured addresses.
@@ -78,7 +97,9 @@ func (p *Proxy) initTLSListeners(ctx context.Context) (err error) {
 			return fmt.Errorf("listening on tls addr %s: %w", addr, err)
 		}
 
-		l := tls.NewListener(tcpListen, p.TLSConfig)
+		proxyListen := p.wrapProxyListener(tcpListen)
+
+		l := tls.NewListener(proxyListen, p.TLSConfig)
 		p.tlsListen = append(p.tlsListen, l)
 
 		p.logger.InfoContext(ctx, "listening to tls", "addr", l.Addr())