fix: Handle HAProxy protocol in TLS pipeline (kroxylicious#3546)

Adds support for HAProxy PROXY protocol when TLS is enabled.
Resolves kroxylicious#287

- used CompositeByteBuf and Unmodifiable copy for tlvs
- HaProxyMessageHandler: extend SimpleChannelInboundHandler<HAProxyMessage>
  so the ref-counted message is auto-released after processing.
- ProxyChannelStateMachine#onClientActive: drop the always-true instanceof
  guard and reuse the ClientActive instance.
- con-configuration-outline.adoc: fix YAML example to use `mode: disabled`
  instead of the non-existent `enabled` field.
- HaProxyMessageHandlerTest: add test asserting refCnt == 0 after read.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Hrishabh Gupta <hgupta@confluent.io>

Author: hrishabhg

.gitignore

@@ -28,6 +28,7 @@ dependency-reduced-pom.xml
 .idea/kubernetes-settings.xml
 .idea/sonarlint.xml
 .idea/copilot.*
+.idea/go.imports.xml
 
  # AWS User-specific
 .idea/**/aws.xml
@@ -110,3 +111,4 @@ docs/*.html
 .claude/agent-memory
 .op/
 .claude/projects/
+.claude/worktrees

kroxylicious-docs/docs/_assemblies/assembly-configuring-proxy.adoc

@@ -25,5 +25,6 @@ include::../_modules/configuring/con-configuring-vc-other-settings.adoc[leveloff
 include::../_modules/configuring/con-configuring-toplevel-other-settings.adoc[leveloffset=+1]
 include::../_modules/configuring/con-configuring-network-settings.adoc[leveloffset=+1]
 include::../_modules/configuring/con-configuring-idle-timeouts.adoc[leveloffset=+1]
+include::../_modules/configuring/con-configuring-proxy-protocol.adoc[leveloffset=+1]
 
 include::../_modules/configuring/ref-configuring-proxy-example.adoc[leveloffset=+1]

kroxylicious-docs/docs/_modules/configuring/con-configuration-outline.adoc

@@ -33,6 +33,8 @@ virtualClusters:
       # ...
     subjectBuilder:
       # ...
+proxyProtocol: # <10>
+  mode: disabled
 
 # ...
 ----
@@ -50,3 +52,4 @@ where:
 ** `targetCluster` defines the Kafka cluster that the virtual cluster (`my-cluster-proxy`) proxies.
 ** `gateways` defines the gateways configuration for this virtual cluster.
 ** `subjectBuilder` (Optional) defines the transport subject builder configuration.
+** `proxyProtocol` (Optional) Enable HAProxy PROXY protocol decoding when deployed behind a PROXY protocol-capable load balancer.

kroxylicious-docs/docs/_modules/configuring/con-configuring-proxy-protocol.adoc

@@ -0,0 +1,62 @@
+////
+  // Copyright Kroxylicious Authors.
+  //
+  // Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+////
+
+:_mod-docs-content-type: CONCEPT
+
+[id='con-configuring-proxy-protocol-{context}']
+= Configuring HAProxy PROXY protocol
+
+[role="_abstract"]
+When Kroxylicious is deployed behind a load balancer that uses the https://www.haproxy.org/download/3.3/doc/proxy-protocol.txt[HAProxy PROXY protocol], you can configure PROXY protocol handling so that the original client connection metadata (source address, destination address, ports) is preserved.
+
+Both PROXY protocol v1 (text) and v2 (binary, including TLV extensions) are supported.
+
+== Proxy protocol modes
+
+The `proxyProtocol.mode` property controls how Kroxylicious handles incoming connections:
+
+`required`:: Every incoming connection *must* begin with a PROXY protocol header.
+Connections without a valid header are rejected immediately with a warning log.
+Use this when Kroxylicious is always behind a PROXY protocol-capable load balancer.
+
+`allowed`:: Kroxylicious inspects the first bytes of each connection and automatically detects whether a PROXY protocol header is present.
+If detected, the header is decoded and the original client address is extracted.
+If not, the bytes are passed through to the Kafka protocol decoder.
+Use this when the same listener may receive both proxied and direct connections.
+
+`disabled`:: No PROXY protocol handling (default).
+All bytes are treated as Kafka protocol data.
+
+.Configuration fragment with PROXY protocol in required mode
+[source,yaml]
+----
+proxyProtocol:
+  mode: required
+----
+
+.Configuration fragment with PROXY protocol in allowed mode
+[source,yaml]
+----
+proxyProtocol:
+  mode: allowed
+----
+
+[IMPORTANT]
+====
+When `mode` is set to `required`, all incoming connections must include a PROXY protocol header.
+If a client connects directly without going through a PROXY protocol-capable load balancer, the connection will be rejected and Kroxylicious will log a warning:
+
+`Connection rejected — expected PROXY protocol header but received non-PROXY data.
+Ensure the upstream load balancer is configured to send PROXY protocol headers,
+or set proxyProtocol mode to 'allowed' or 'disabled'.`
+====
+
+[IMPORTANT]
+====
+When `mode` is set to `allowed`, any client that can connect directly to Kroxylicious (bypassing the load balancer) can send a PROXY protocol header with a spoofed source address.
+Only use `allowed` mode when your network topology guarantees that untrusted clients cannot reach the proxy port directly, or when source address spoofing is an acceptable risk.
+If all connections come through a PROXY protocol-capable load balancer, prefer `required` mode instead.
+====

kroxylicious-integration-test-support/src/test/java/io/kroxylicious/proxy/config/ConfigurationTest.java

@@ -584,6 +584,7 @@ void shouldRejectFilterDefinitionsWithSameName() {
                 null,
                 false,
                 development,
+                null,
                 null))
                 .isInstanceOf(IllegalConfigurationException.class)
                 .hasMessage("'filterDefinitions' contains multiple items with the same names: [foo]");
@@ -601,6 +602,7 @@ void shouldRejectMissingDefaultFilter() {
                 null,
                 false,
                 development,
+                null,
                 null))
                 .isInstanceOf(IllegalConfigurationException.class)
                 .hasMessage("'defaultFilters' references filters not defined in 'filterDefinitions': [missing]");
@@ -621,6 +623,7 @@ void shouldRejectMissingClusterFilter() {
                 virtualClusters,
                 null, false,
                 development,
+                null,
                 null))
                 .isInstanceOf(IllegalConfigurationException.class)
                 .hasMessage("'virtualClusters.vc1.filters' references filters not defined in 'filterDefinitions': [missing]");
@@ -647,6 +650,7 @@ void shouldRejectUnusedFilterDefinition() {
                 null,
                 false,
                 development,
+                null,
                 null))
                 .isInstanceOf(IllegalConfigurationException.class)
                 .hasMessage("'filterDefinitions' defines filters which are not used in 'defaultFilters' or in any virtual cluster's 'filters': [unused]");
@@ -670,6 +674,7 @@ void virtualClusterModelShouldUseCorrectFilters() {
                 null,
                 false,
                 Optional.empty(),
+                null,
                 null);
 
         // When
@@ -684,6 +689,42 @@ void virtualClusterModelShouldUseCorrectFilters() {
                 .hasValueSatisfying(vcm -> assertThat(vcm.getFilters()).singleElement().extracting(NamedFilterDefinition::type).isEqualTo("Bar"));
     }
 
+    @Test
+    void proxyProtocolModeShouldReturnRequiredWhenRequired() {
+        Configuration configuration = new Configuration(null, null, null,
+                List.of(buildVirtualCluster("vc", "x:9092", null)),
+                null, false, Optional.empty(), null,
+                new ProxyProtocolConfig(ProxyProtocolMode.REQUIRED));
+        assertThat(configuration.proxyProtocolMode()).isEqualTo(ProxyProtocolMode.REQUIRED);
+    }
+
+    @Test
+    void proxyProtocolModeShouldReturnAllowedWhenAllowed() {
+        Configuration configuration = new Configuration(null, null, null,
+                List.of(buildVirtualCluster("vc", "x:9092", null)),
+                null, false, Optional.empty(), null,
+                new ProxyProtocolConfig(ProxyProtocolMode.ALLOWED));
+        assertThat(configuration.proxyProtocolMode()).isEqualTo(ProxyProtocolMode.ALLOWED);
+    }
+
+    @Test
+    void proxyProtocolModeShouldReturnDisabledWhenDisabled() {
+        Configuration configuration = new Configuration(null, null, null,
+                List.of(buildVirtualCluster("vc", "x:9092", null)),
+                null, false, Optional.empty(), null,
+                new ProxyProtocolConfig(ProxyProtocolMode.DISABLED));
+        assertThat(configuration.proxyProtocolMode()).isEqualTo(ProxyProtocolMode.DISABLED);
+    }
+
+    @Test
+    void proxyProtocolDefaultsToDisabledWhenNull() {
+        Configuration configuration = new Configuration(null, null, null,
+                List.of(buildVirtualCluster("vc", "x:9092", null)),
+                null, false, Optional.empty(), null,
+                null);
+        assertThat(configuration.proxyProtocolMode()).isEqualTo(ProxyProtocolMode.DISABLED);
+    }
+
     @NonNull
     private static VirtualCluster buildVirtualCluster(String virtualClusterName, String targetBootstrap, @Nullable List<String> filterNames) {
         return new VirtualCluster(virtualClusterName, new TargetCluster(targetBootstrap, Optional.empty()),

kroxylicious-integration-tests/pom.xml

@@ -222,6 +222,16 @@
             <artifactId>netty-buffer</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-codec-haproxy</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>