Add a setting to adjust the maximum PP header size#12961
Open
maskit wants to merge 5 commits intoapache:masterfrom
Open
Add a setting to adjust the maximum PP header size#12961maskit wants to merge 5 commits intoapache:masterfrom
maskit wants to merge 5 commits intoapache:masterfrom
Conversation
The original hard coded size is too small if PP version2 is used and the header contains many TLV fields. This adds a new setting proxy.config.proxy_protocol.max_header_size to read a larger but limited amount of data to parse PP header. This also adds a quick check to detect whether PP header exists. The check avoids copying a large amount of data if PP is definitely unused.
Member
Author
|
[approve ci rocky] |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a configurable limit for inbound PROXY protocol header parsing so ATS can accept larger PPv2 headers (e.g., with many TLVs), and documents the new record.
Changes:
- Register
proxy.config.proxy_protocol.max_header_sizeand document it inrecords.yaml. - Add
proxy_protocol_detect()helper and use it to gate parsing inNetVConnection::has_proxy_protocol(IOBufferReader*). - Adjust PPv2 parse logging when the buffer is smaller than the expected header length.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
src/records/RecordsConfig.cc |
Adds a new config record to control max inbound PROXY protocol header size. |
include/iocore/net/ProxyProtocol.h |
Exposes a new proxy_protocol_detect() API. |
src/iocore/net/ProxyProtocol.cc |
Implements detection helper and changes PPv2 “short buffer” logging behavior. |
src/iocore/net/NetVConnection.cc |
Uses the new config to size the read buffer for PROXY protocol parsing. |
doc/admin-guide/files/records.yaml.en.rst |
Documents the new configuration option. |
Comments suppressed due to low confidence (1)
src/iocore/net/NetVConnection.cc:76
- When
proxy_protocol_detect(tv)succeeds, aproxy_protocol_parse()result of 0 likely means the header is incomplete (not enough bytes yet) or larger than the current max, not that the header is absent. Returningfalsehere leaves the PROXY preface in the reader, andProtocolProbeSessionAcceptwill proceed to HTTP probing with the wrong bytes at the front of the stream. Consider treating this as a “need more data” state (like the other overload does with-EAGAIN) or closing the connection with a clear diagnostic when the preface is present but parsing cannot complete.
size_t len = proxy_protocol_parse(&this->pp_info, tv);
if (len > 0) {
reader->consume(len);
return true;
}
return false;
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a configurable limit for PROXY protocol header parsing so ATS can support larger PROXY v2 headers (e.g., with TLVs) while keeping a default sized for PROXY v1.
Changes:
- Introduce
proxy.config.proxy_protocol.max_header_sizeand plumb it throughHttpConfig. - Use the configured max header size when probing/parsing for PROXY protocol on accepted connections.
- Add PROXY protocol preface detection helper and document the new configuration record.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
src/records/RecordsConfig.cc |
Registers the new proxy.config.proxy_protocol.max_header_size config record and its allowed range. |
src/proxy/http/HttpConfig.cc |
Loads the new config and propagates it into HttpConfigParams. |
include/proxy/http/HttpConfig.h |
Adds pp_hdr_max_size to HttpConfigParams. |
src/proxy/ProtocolProbeSessionAccept.cc |
Uses pp_hdr_max_size when checking for PROXY protocol on new connections. |
include/iocore/net/NetVConnection.h |
Updates NetVConnection::has_proxy_protocol(IOBufferReader*) signature to accept max_header_size. |
src/iocore/net/NetVConnection.cc |
Implements configurable-sized read for PROXY protocol parsing from an IOBufferReader. |
include/iocore/net/ProxyProtocol.h |
Declares proxy_protocol_detect() helper. |
src/iocore/net/ProxyProtocol.cc |
Implements proxy_protocol_detect() and adjusts logging for a PPv2 length mismatch case. |
doc/admin-guide/files/records.yaml.en.rst |
Documents the new PROXY protocol max header size configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a configurable maximum PROXY protocol header size, wiring it through records config and HttpConfig so the protocol probe can parse larger v2 headers (e.g., with many TLVs).
Changes:
- Introduces
proxy.config.proxy_protocol.max_header_sizeand documents it. - Plumbs the new config through
HttpConfig/HttpConfigParamsand into the protocol probe path. - Refactors PROXY protocol detection/parsing flow to first detect preface, then parse with a configurable read size.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/records/RecordsConfig.cc | Adds the new config record for PROXY protocol max header size. |
| src/proxy/ProtocolProbeSessionAccept.cc | Reads the configured max header size and passes it into proxy-protocol detection/parsing. |
| src/proxy/http/HttpConfig.cc | Loads and propagates the new PROXY protocol header size setting into runtime params. |
| src/iocore/net/ProxyProtocol.cc | Adds proxy_protocol_detect() and changes logging for v2 length mismatch. |
| src/iocore/net/NetVConnection.cc | Updates has_proxy_protocol() to take a max header size and read more data before parsing. |
| include/proxy/http/HttpConfig.h | Adds pp_hdr_max_size to HttpConfigParams. |
| include/iocore/net/ProxyProtocol.h | Declares proxy_protocol_detect(). |
| include/iocore/net/NetVConnection.h | Updates the has_proxy_protocol() signature to accept max header size. |
| doc/admin-guide/files/records.yaml.en.rst | Documents the new config variable and its intent. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The original hard coded size is too small if PP version2 is used and the header contains many TLV fields. This adds a new setting
proxy.config.proxy_protocol.max_header_sizeto read a larger but limited amount of data to parse PP header.This also adds a quick check to detect whether PP header exists. The check avoids copying a large amount of data if PP is definitely unused.
A known limitation that has been there:
The code assumes that a whole PP header is received at once. If the header size is really large and the header is only partially received, ATS does not wait for the rest of the header and raises an error.