Welcome! Log In Create A New Profile

Advanced

[PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

Posted by Emmanuel Hocdet 
Emmanuel Hocdet
[PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 01, 2018 06:00PM
Hi,

It’s patch introduce proxy-v2-options for send-proxy-v2.
Goal is to add more options from doc/proxy-protocol.txt, especially
all TLS informations related to security.

++
Manu
Attachments:
open | download - 0001-MINOR-introduce-proxy-v2-options-for-send-proxy-v2.patch (3.2 KB)
Aleksandar Lazic
Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 01, 2018 11:40PM
Hi.

------ Originalnachricht ------
Von: "Emmanuel Hocdet" <[email protected]>
An: "haproxy" <[email protected]>
Gesendet: 01.02.2018 17:54:46
Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

>Hi,
>
>It’s patch introduce proxy-v2-options for send-proxy-v2.
>Goal is to add more options from doc/proxy-protocol.txt, especially
>all TLS informations related to security.
Can then this function replace the current one `send-proxy-v2-ssl-cn` &&
`send-proxy-v2-ssl`
Let's say when the option is 'ssl-cn' then add all three flags as in the
current `srv_parse_send_proxy_cn` function?

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796

We offer with this suggested solution a backward compatibility and the
new function is in use.

Maybe in the next step there could be a 'tlv' option which can decode
custom tlv's ?
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606

Just some brainstorming ;-)

What do you mean?

>++
>Manu
Regards
Aleks
Willy Tarreau
Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 02, 2018 06:00AM
Hi Manu,

On Thu, Feb 01, 2018 at 05:54:46PM +0100, Emmanuel Hocdet wrote:
> Hi,
>
> It's patch introduce proxy-v2-options for send-proxy-v2.
> Goal is to add more options from doc/proxy-protocol.txt, especially
> all TLS informations related to security.

OK thanks, applied. We'll see during the development cycle how this
evolves, and if this needs to change a little bit. But at least now we
have something to start with, making it more convenient to experiment
with future options.

Willy
Emmanuel Hocdet
Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 02, 2018 11:00AM
Hi Aleks

> Le 1 févr. 2018 à 23:34, Aleksandar Lazic <[email protected]> a écrit :
>
> Hi.
>
> ------ Originalnachricht ------
> Von: "Emmanuel Hocdet" <[email protected]>
> An: "haproxy" <[email protected]>
> Gesendet: 01.02.2018 17:54:46
> Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
>
>> Hi,
>>
>> It’s patch introduce proxy-v2-options for send-proxy-v2.
>> Goal is to add more options from doc/proxy-protocol.txt, especially
>> all TLS informations related to security.
> Can then this function replace the current one `send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl`

yes and no, you must add send-proxy-v2 to activate proxy-v2

> Let's say when the option is 'ssl-cn' then add all three flags as in the current `srv_parse_send_proxy_cn` function?
>
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
>
> We offer with this suggested solution a backward compatibility and the new function is in use.
>

you must used "send-proxy-v2 proxy-v2-options ssl » for current send-proxy-v2-ssl
you must used "send-proxy-v2 proxy-v2-options cert-cn » for current send-proxy-v2-ssl-cn

next options should be authority,cert-key,cert-sig,ssl-cipher

> Maybe in the next step there could be a 'tlv' option which can decode custom tlv's ?
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
>
> Just some brainstorming ;-)
>
> What do you mean?
>

Haproxy is naturally a producer for ‘tlv’ options (for sure when related to ssl). I don’t know how ‘tlv’ options (other than netns)
could be really useful to consume, passthru coud be more useful.

++
Manu
Aleksandar Lazic
Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 02, 2018 09:00PM
Hi Manu.

Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:
> Hi Aleks
>
>> Le 1 févr. 2018 à 23:34, Aleksandar Lazic <[email protected]> a écrit
>> :
>>
>> Hi.
>>
>> ------ Originalnachricht ------
>> Von: "Emmanuel Hocdet" <[email protected]>
>> An: "haproxy" <[email protected]>
>> Gesendet: 01.02.2018 17:54:46
>> Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
>>
>>> Hi,
>>>
>>> It’s patch introduce proxy-v2-options for send-proxy-v2.
>>> Goal is to add more options from doc/proxy-protocol.txt, especially
>>> all TLS informations related to security.
>> Can then this function replace the current one `send-proxy-v2-ssl-cn`
>> && `send-proxy-v2-ssl`
>
> yes and no, you must add send-proxy-v2 to activate proxy-v2
>
>> Let's say when the option is 'ssl-cn' then add all three flags as in
>> the current `srv_parse_send_proxy_cn` function?
>>
>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
>>
>> We offer with this suggested solution a backward compatibility and the
>> new function is in use.
>>
>
> you must used "send-proxy-v2 proxy-v2-options ssl » for current
> send-proxy-v2-ssl
> you must used "send-proxy-v2 proxy-v2-options cert-cn » for current
> send-proxy-v2-ssl-cn
>
> next options should be authority,cert-key,cert-sig,ssl-cipher
>
>> Maybe in the next step there could be a 'tlv' option which can decode
>> custom tlv's ?
>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
>>
>> Just some brainstorming ;-)
>>
>> What do you mean?
>>
>
> Haproxy is naturally a producer for ‘tlv’ options (for sure when
> related to ssl). I don’t know how ‘tlv’ options (other than netns)
> could be really useful to consume, passthru coud be more useful.

How about this example.

https://www.mail-archive.com/[email protected]/msg28647.html

How to parse custom PROXY protocol v2 header for custom routing in
HAProxy configuration?

This case describes a case for AWS own header in PP2
PP2_SUBTYPE_AWS_VPCE_ID
I know it's not easy but maybe worth to discuss how to use the free
fields in PP2 for some acls

> ++
> Manu

Regards
Aleks
Emmanuel Hocdet
Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 05, 2018 03:10PM
Hi Aleks,

> Le 2 févr. 2018 à 20:46, Aleksandar Lazic <[email protected]> a écrit :
>
> Hi Manu.
>
> Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:
>> Hi Aleks
>>> Le 1 févr. 2018 à 23:34, Aleksandar Lazic <[email protected]> a écrit :
>>> Hi.
>>> ------ Originalnachricht ------
>>> Von: "Emmanuel Hocdet" <[email protected]>
>>> An: "haproxy" <[email protected]>
>>> Gesendet: 01.02.2018 17:54:46
>>> Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
>>>> Hi,
>>>> It’s patch introduce proxy-v2-options for send-proxy-v2.
>>>> Goal is to add more options from doc/proxy-protocol.txt, especially
>>>> all TLS informations related to security.
>>> Can then this function replace the current one `send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl`
>> yes and no, you must add send-proxy-v2 to activate proxy-v2
>>> Let's say when the option is 'ssl-cn' then add all three flags as in the current `srv_parse_send_proxy_cn` function?
>>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
>>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
>>> We offer with this suggested solution a backward compatibility and the new function is in use.
>> you must used "send-proxy-v2 proxy-v2-options ssl » for current
>> send-proxy-v2-ssl
>> you must used "send-proxy-v2 proxy-v2-options cert-cn » for current
>> send-proxy-v2-ssl-cn
>> next options should be authority,cert-key,cert-sig,ssl-cipher
>>> Maybe in the next step there could be a 'tlv' option which can decode custom tlv's ?
>>> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
>>> Just some brainstorming ;-)
>>> What do you mean?
>> Haproxy is naturally a producer for ‘tlv’ options (for sure when
>> related to ssl). I don’t know how ‘tlv’ options (other than netns)
>> could be really useful to consume, passthru coud be more useful.
>
> How about this example.
>
> https://www.mail-archive.com/[email protected]/msg28647.html https://www.mail-archive.com/[email protected]/msg28647.html
>
> How to parse custom PROXY protocol v2 header for custom routing in HAProxy configuration?
>
> This case describes a case for AWS own header in PP2 PP2_SUBTYPE_AWS_VPCE_ID
> I know it's not easy but maybe worth to discuss how to use the free fields in PP2 for some acls
>

Consume and produce pp-v2 tlv are two different things.
For tlv consume, i work with Varnish and the problem is the same: where to store them and how to use them.
I do not know of a generic solution, specially in the case of custom tlv.

++
Manu
Aleksandar Lazic
Re[2]: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
February 07, 2018 10:10PM
Hi Manu.

------ Originalnachricht ------
Von: "Emmanuel Hocdet" <[email protected]>
An: "Aleksandar Lazic" <[email protected]>
Cc: "haproxy" <[email protected]>
Gesendet: 05.02.2018 14:58:20
Betreff: Re: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2

>
>Hi Aleks,
>
>>Le 2 févr. 2018 à 20:46, Aleksandar Lazic <[email protected]> a écrit
>>:
>>
>>Hi Manu.
>>
>>Am 02-02-2018 10:49, schrieb Emmanuel Hocdet:
>>>Hi Aleks
>>>>Le 1 févr. 2018 à 23:34, Aleksandar Lazic <[email protected]> a
>>>>écrit :
>>>>Hi.
>>>>------ Originalnachricht ------
>>>>Von: "Emmanuel Hocdet" <[email protected]>
>>>>An: "haproxy" <[email protected]>
>>>>Gesendet: 01.02.2018 17:54:46
>>>>Betreff: [PATCH] MINOR: introduce proxy-v2-options for send-proxy-v2
>>>>>Hi,
>>>>>It’s patch introduce proxy-v2-options for send-proxy-v2.
>>>>>Goal is to add more options from doc/proxy-protocol.txt,
>>>>>especially
>>>>>all TLS informations related to security.
>>>>Can then this function replace the current one
>>>>`send-proxy-v2-ssl-cn` && `send-proxy-v2-ssl`
>>>yes and no, you must add send-proxy-v2 to activate proxy-v2
>>>>Let's say when the option is 'ssl-cn' then add all three flags as in
>>>>the current `srv_parse_send_proxy_cn` function?
>>>>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7788
>>>>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/ssl_sock.c;hb=497959290789002b814b9021a737a3c5f14e7407#l7796
>>>>We offer with this suggested solution a backward compatibility and
>>>>the new function is in use.
>>>you must used "send-proxy-v2 proxy-v2-options ssl » for current
>>>send-proxy-v2-ssl
>>>you must used "send-proxy-v2 proxy-v2-options cert-cn » for
>>>current
>>>send-proxy-v2-ssl-cn
>>>next options should be authority,cert-key,cert-sig,ssl-cipher
>>>>Maybe in the next step there could be a 'tlv' option which can
>>>>decode custom tlv's ?
>>>>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/connection.c;hb=497959290789002b814b9021a737a3c5f14e7407#l606
>>>>Just some brainstorming ;-)
>>>>What do you mean?
>>>Haproxy is naturally a producer for ‘tlv’ options (for sure when
>>>related to ssl). I don’t know how ‘tlv’ options (other than netns)
>>>could be really useful to consume, passthru coud be more useful.
>>
>>How about this example.
>>
>>https://www.mail-archive.com/[email protected]/msg28647.html
>>
>>How to parse custom PROXY protocol v2 header for custom routing in
>>HAProxy configuration?
>>
>>This case describes a case for AWS own header in PP2
>>PP2_SUBTYPE_AWS_VPCE_ID
>>I know it's not easy but maybe worth to discuss how to use the free
>>fields in PP2 for some acls
>>
>
>Consume and produce pp-v2 tlv are two different things.
>For tlv consume, i work with Varnish and the problem is the same: where
>to store them and how to use them.
>I do not know of a generic solution, specially in the case of custom
>tlv.
Thanks for explanation.
I also have no idea for now.

>++
>Manu
Best regards
aleks
Sorry, only registered users may post in this forum.

Click here to login