Gate PP allowlist by header preface#13125
Open
bneradt wants to merge 1 commit intoapache:masterfrom
Open
Conversation
bneradt
added
PROXY Protocol
Network
Tests
Documentation
Incompatible
and removed
Network
Tests
Documentation
labels
Flexible Proxy Protocol ports currently use proxy.config.http.proxy_protocol_allowlist as a source-IP gate for every connection, even when traffic never presents a Proxy Protocol header. Mixed PP and non-PP deployments can then reject ordinary HTTP or TLS clients unexpectedly. This changes the allowlist check to run only after a v1 or v2 Proxy Protocol preface is detected, while still applying the gate before parsing or consuming the header. This keeps PP-looking spoof attempts behind the trusted-peer check, leaves non-PP bytes untouched for normal probing or TLS handshakes, and documents the new behavior with focused AuTest coverage.
bneradt
force-pushed
the
flexible_allow_list_asf
branch
from
f21e8ec to
687b0f2
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts Proxy Protocol allowlist enforcement so that flexible Proxy Protocol ports only apply proxy.config.http.proxy_protocol_allowlist when the incoming connection actually starts with a PROXY v1/v2 preface, avoiding unintended rejection of ordinary HTTP/TLS clients in mixed deployments.
Changes:
- Gate allowlist checks behind PROXY preface detection (before parsing/consuming the header) for both plaintext and TLS paths.
- Add
NetVConnection::has_proxy_protocol_preface(...)helpers and reuse them in PROXY header detection. - Add AuTest coverage plus documentation/release-note updates describing the new behavior and recommending
ip_allow.yamlfor general source-IP ACLs.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/proxy/ProtocolProbeSessionAccept.cc |
Only enforces the Proxy Protocol allowlist after detecting a PROXY preface on plaintext ports. |
src/iocore/net/SSLNetVConnection.cc |
Only enforces the Proxy Protocol allowlist after detecting a PROXY preface during TLS handshake raw reads. |
src/iocore/net/NetVConnection.cc |
Introduces reusable PROXY preface detection helpers and uses them in existing header detection. |
include/iocore/net/NetVConnection.h |
Declares the new has_proxy_protocol_preface overloads. |
tests/gold_tests/proxy_protocol/proxy_protocol.test.py |
Adds a new gold test covering allowlist behavior for non-PP vs PP-prefaced traffic. |
tests/gold_tests/proxy_protocol/replay/proxy_protocol_allowlist.replay.yaml |
Adds replay data to support the new allowlist test. |
doc/release-notes/upgrading.en.rst |
Documents the behavioral change for upgrades. |
doc/admin-guide/files/records.yaml.en.rst |
Updates the proxy_protocol_allowlist record docs to reflect preface-gated enforcement. |
doc/admin-guide/configuration/proxy-protocol.en.rst |
Updates the Proxy Protocol admin guide to match the new allowlist semantics. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Flexible Proxy Protocol ports currently use
proxy.config.http.proxy_protocol_allowlist as a source-IP gate for
every connection, even when traffic never presents a Proxy Protocol
header. Mixed PP and non-PP deployments can then reject ordinary HTTP
or TLS clients unexpectedly.
This changes the allowlist check to run only after a v1 or v2 Proxy
Protocol preface is detected, while still applying the gate before
parsing or consuming the header. This keeps PP-looking spoof attempts
behind the trusted-peer check, leaves non-PP bytes untouched for normal
probing or TLS handshakes, and documents the new behavior with focused
AuTest coverage.
Incompatible Note
Observe that this is an incompatible behavior change and should not be backported to 10.x or 9.x branches.