Add optional support for the PROXY protocol

This adds support for the commonly implemented PROXY protocol, allowing TCP proxies to pass along upstream client information. When this is enabled gorouter will read the PROXY preamble and inject the upstream information into the `X-Forwarded-For` header. http://blog.haproxy.com/haproxy/proxy-protocol/ It should be noted that when using PROXY on the HTTPS port the `X-Forwarded-Proto` header will not be set to "https" as expected because the X-Forwarded-Proto code checks for source.TLS, which is only set by the go http library if the `conn` is a `tls.conn`: https://golang.org/src/net/http/server.go#L1398 This can only be fixed properly by patching the standard library. We plan to submit a separate gorouter patch to allow operators to override the autodetected X-Forwarded-Proto if they are terminating SSL at the load balancer before gorouter and using PROXY to communicate with gorouter.
cloudfoundry · Apr 5, 2016 · 2c1f04d · 2c1f04d
1 parent a5307c5
commit 2c1f04d
Show file tree

Hide file tree

Showing 9 changed files with 316 additions and 9 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/Godeps/_workspace/src/github.com/armon/go-proxyproto/.gitignore b/Godeps/_workspace/src/github.com/armon/go-proxyproto/.gitignore
diff --git a/Godeps/_workspace/src/github.com/armon/go-proxyproto/LICENSE b/Godeps/_workspace/src/github.com/armon/go-proxyproto/LICENSE
diff --git a/Godeps/_workspace/src/github.com/armon/go-proxyproto/README.md b/Godeps/_workspace/src/github.com/armon/go-proxyproto/README.md
diff --git a/Godeps/_workspace/src/github.com/armon/go-proxyproto/protocol.go b/Godeps/_workspace/src/github.com/armon/go-proxyproto/protocol.go
diff --git a/config/config.go b/config/config.go
@@ -87,6 +87,7 @@ type Config struct {
 	AccessLog                AccessLog     `yaml:"access_log"`
 	EnableAccessLogStreaming bool          `yaml:"enable_access_log_streaming"`
 	DebugAddr                string        `yaml:"debug_addr"`
+	EnablePROXY              bool          `yaml:"enable_proxy"`
 	EnableSSL                bool          `yaml:"enable_ssl"`
 	SSLPort                  uint16        `yaml:"ssl_port"`
 	SSLCertPath              string        `yaml:"ssl_cert_path"`
@@ -141,11 +142,12 @@ var defaultConfig = Config{
 	Nats:    []NatsConfig{defaultNatsConfig},
 	Logging: defaultLoggingConfig,
 
-	Port:       8081,
-	Index:      0,
-	GoMaxProcs: -1,
-	EnableSSL:  false,
-	SSLPort:    443,
+	Port:        8081,
+	Index:       0,
+	GoMaxProcs:  -1,
+	EnablePROXY: false,
+	EnableSSL:   false,
+	SSLPort:     443,
 
 	EndpointTimeoutInSeconds:     60,
 	RouteServiceTimeoutInSeconds: 60,

diff --git a/config/config_test.go b/config/config_test.go
@@ -265,6 +265,16 @@ token_fetcher_expiration_buffer_time: 40
 			Expect(config.TokenFetcherRetryIntervalInSeconds).To(Equal(5))
 			Expect(config.TokenFetcherExpirationBufferTimeInSeconds).To(Equal(int64(30)))
 		})
+
+		It("sets proxy protocol", func() {
+			var b = []byte(`
+enable_proxy: true
+`)
+
+			config.Initialize(b)
+
+			Expect(config.EnablePROXY).To(Equal(true))
+		})
 	})
 
 	Describe("Process", func() {

diff --git a/router/router.go b/router/router.go
@@ -7,6 +7,7 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/armon/go-proxyproto"
 	"github.com/apcera/nats"
 	"github.com/cloudfoundry/dropsonde"
 	vcap "github.com/cloudfoundry/gorouter/common"
@@ -267,10 +268,14 @@ func (r *Router) serveHTTPS(server *http.Server, errChan chan error) error {
 		}
 
 		r.tlsListener = tlsListener
-		r.logger.Info(fmt.Sprintf("Listening on %s", tlsListener.Addr()))
+		if r.config.EnablePROXY {
+			r.tlsListener = &proxyproto.Listener{tlsListener}
+		}
+
+		r.logger.Info(fmt.Sprintf("Listening on %s", r.tlsListener.Addr()))
 
 		go func() {
-			err := server.Serve(tlsListener)
+			err := server.Serve(r.tlsListener)
 			r.stopLock.Lock()
 			if !r.stopping {
 				errChan <- err
@@ -290,10 +295,14 @@ func (r *Router) serveHTTP(server *http.Server, errChan chan error) error {
 	}
 
 	r.listener = listener
-	r.logger.Info(fmt.Sprintf("Listening on %s", listener.Addr()))
+	if r.config.EnablePROXY {
+		r.listener = &proxyproto.Listener{listener}
+	}
+
+	r.logger.Info(fmt.Sprintf("Listening on %s", r.listener.Addr()))
 
 	go func() {
-		err := server.Serve(listener)
+		err := server.Serve(r.listener)
 		r.stopLock.Lock()
 		if !r.stopping {
 			errChan <- err

diff --git a/router/router_test.go b/router/router_test.go
@@ -79,6 +79,7 @@ var _ = Describe("Router", func() {
 		config.SSLPort = 4443 + uint16(gConfig.GinkgoConfig.ParallelNode)
 		config.SSLCertificate = cert
 		config.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA}
+		config.EnablePROXY = true
 
 		// set pid file
 		f, err := ioutil.TempFile("", "gorouter-test-pidfile-")
@@ -586,6 +587,34 @@ var _ = Describe("Router", func() {
 		Expect(string(body)).To(MatchRegexp(".*1\\.2\\.3\\.4:1234.*\n"))
 	})
 
+	It("handles the PROXY protocol", func() {
+		app := test.NewTestApp([]route.Uri{"proxy.vcap.me"}, config.Port, mbusClient, nil, "")
+
+		rCh := make(chan string)
+		app.AddHandler("/", func(w http.ResponseWriter, r *http.Request) {
+			rCh <- r.Header.Get("X-Forwarded-For")
+		})
+		app.Listen()
+		Eventually(func() bool {
+			return appRegistered(registry, app)
+		}).Should(BeTrue())
+
+		host := fmt.Sprintf("proxy.vcap.me:%d", config.Port)
+		conn, err := net.DialTimeout("tcp", host, 10*time.Second)
+		Expect(err).ToNot(HaveOccurred())
+		defer conn.Close()
+
+		fmt.Fprintf(conn, "PROXY TCP4 192.168.0.1 192.168.0.2 12345 80\r\n"+
+			"GET / HTTP/1.0\r\n"+
+			"Host: %s\r\n"+
+			"\r\n", host)
+
+		var rr string
+		Eventually(rCh).Should(Receive(&rr))
+		Expect(rr).ToNot(BeNil())
+		Expect(rr).To(Equal("192.168.0.1"))
+	})
+
 	Context("HTTP keep-alive", func() {
 		It("reuses the same connection on subsequent calls", func() {
 			app := test.NewGreetApp([]route.Uri{"keepalive.vcap.me"}, config.Port, mbusClient, nil)