Documentation ¶
Overview ¶
Package proxyproto implements network reader shims for terminating proxy protocol connections.
Index ¶
- Variables
- func JoinTLVs(tlvs []TLV) ([]byte, error)
- type AddressFamilyAndProtocol
- func (ap AddressFamilyAndProtocol) IsDatagram() bool
- func (ap AddressFamilyAndProtocol) IsIPv4() bool
- func (ap AddressFamilyAndProtocol) IsIPv6() bool
- func (ap AddressFamilyAndProtocol) IsStream() bool
- func (ap AddressFamilyAndProtocol) IsUnix() bool
- func (ap AddressFamilyAndProtocol) IsUnspec() bool
- type Config
- type Conn
- func (p *Conn) Close() error
- func (p *Conn) LocalAddr() net.Addr
- func (p *Conn) Read(b []byte) (int, error)
- func (p *Conn) RemoteAddr() net.Addr
- func (p *Conn) SetDeadline(t time.Time) error
- func (p *Conn) SetReadDeadline(t time.Time) error
- func (p *Conn) SetWriteDeadline(t time.Time) error
- func (p *Conn) Write(b []byte) (int, error)
- type Dialer
- type DialerOption
- type Header
- func (header *Header) EqualTo(otherHeader *Header) bool
- func (header *Header) EqualsTo(otherHeader *Header) bool
- func (header *Header) Format() ([]byte, error)
- func (header *Header) IPs() (sourceIP, destIP net.IP, ok bool)
- func (header *Header) Ports() (sourcePort, destPort int, ok bool)
- func (header *Header) SetTLVs(tlvs []TLV) error
- func (header *Header) TCPAddrs() (sourceAddr, destAddr *net.TCPAddr, ok bool)
- func (header *Header) TLVs() ([]TLV, error)
- func (header *Header) UDPAddrs() (sourceAddr, destAddr *net.UDPAddr, ok bool)
- func (header *Header) UnixAddrs() (sourceAddr, destAddr *net.UnixAddr, ok bool)
- func (header *Header) WriteTo(w io.Writer) (int64, error)
- type Listener
- type PP2Type
- type ProtocolVersionAndCommand
- type SourceChecker
- type TLV
Constants ¶
This section is empty.
Variables ¶
var ( SIGV1 = []byte{'\x50', '\x52', '\x4F', '\x58', '\x59'} SIGV2 = []byte{'\x0D', '\x0A', '\x0D', '\x0A', '\x00', '\x0D', '\x0A', '\x51', '\x55', '\x49', '\x54', '\x0A'} )
Protocol Headers
var ( ErrCantReadVersion1Header = errors.New("proxyproto: can't read version 1 header") ErrVersion1HeaderTooLong = errors.New("proxyproto: version 1 header must be 107 bytes or less") ErrLineMustEndWithCrlf = errors.New("proxyproto: version 1 header is invalid, must end with \\r\\n") ErrCantReadProtocolVersionAndCommand = errors.New("proxyproto: can't read proxy protocol version and command") ErrCantReadAddressFamilyAndProtocol = errors.New("proxyproto: can't read address family or protocol") ErrCantReadLength = errors.New("proxyproto: can't read length") ErrCantResolveSourceUnixAddress = errors.New("proxyproto: can't resolve source Unix address") ErrCantResolveDestinationUnixAddress = errors.New("proxyproto: can't resolve destination Unix address") ErrNoProxyProtocol = errors.New("proxyproto: proxy protocol signature not present") ErrUnknownProxyProtocolVersion = errors.New("proxyproto: unknown proxy protocol version") ErrUnsupportedProtocolVersionAndCommand = errors.New("proxyproto: unsupported proxy protocol version and command") ErrUnsupportedAddressFamilyAndProtocol = errors.New("proxyproto: unsupported address family and protocol") ErrInvalidLength = errors.New("proxyproto: invalid length") ErrInvalidAddress = errors.New("proxyproto: invalid address") ErrInvalidPortNumber = errors.New("proxyproto: invalid port number") ErrSuperfluousProxyHeader = errors.New("proxyproto: upstream connection sent PROXY header but isn't allowed to send one") )
Errors
var ( ErrTruncatedTLV = errors.New("proxyproto: truncated TLV") ErrMalformedTLV = errors.New("proxyproto: malformed TLV Value") ErrIncompatibleTLV = errors.New("proxyproto: incompatible TLV type") )
Error constants
var ( // ErrInvalidUpstream is a common error. ErrInvalidUpstream = errors.New("upstream connection address not trusted for PROXY information") )
Functions ¶
Types ¶
type AddressFamilyAndProtocol ¶
type AddressFamilyAndProtocol byte
AddressFamilyAndProtocol represents address family and transport protocol.
const ( AddressFamilyAndProtocolUnknown AddressFamilyAndProtocol = '\x00' AddressFamilyAndProtocolTCPv4 AddressFamilyAndProtocol = '\x11' AddressFamilyAndProtocolUDPv4 AddressFamilyAndProtocol = '\x12' AddressFamilyAndProtocolTCPv6 AddressFamilyAndProtocol = '\x21' AddressFamilyAndProtocolUDPv6 AddressFamilyAndProtocol = '\x22' AddressFamilyAndProtocolUnixStream AddressFamilyAndProtocol = '\x31' AddressFamilyAndProtocolUnixDatagram AddressFamilyAndProtocol = '\x32' )
Address family and protocol constants
func (AddressFamilyAndProtocol) IsDatagram ¶
func (ap AddressFamilyAndProtocol) IsDatagram() bool
IsDatagram returns true if the transport protocol is UDP or DGRAM (SOCK_DGRAM), false otherwise.
func (AddressFamilyAndProtocol) IsIPv4 ¶
func (ap AddressFamilyAndProtocol) IsIPv4() bool
IsIPv4 returns true if the address family is IPv4 (AF_INET4), false otherwise.
func (AddressFamilyAndProtocol) IsIPv6 ¶
func (ap AddressFamilyAndProtocol) IsIPv6() bool
IsIPv6 returns true if the address family is IPv6 (AF_INET6), false otherwise.
func (AddressFamilyAndProtocol) IsStream ¶
func (ap AddressFamilyAndProtocol) IsStream() bool
IsStream returns true if the transport protocol is TCP or STREAM (SOCK_STREAM), false otherwise.
func (AddressFamilyAndProtocol) IsUnix ¶
func (ap AddressFamilyAndProtocol) IsUnix() bool
IsUnix returns true if the address family is UNIX (AF_UNIX), false otherwise.
func (AddressFamilyAndProtocol) IsUnspec ¶
func (ap AddressFamilyAndProtocol) IsUnspec() bool
IsUnspec returns true if the transport protocol or address family is unspecified, false otherwise.
type Conn ¶
type Conn struct {
// contains filtered or unexported fields
}
Conn is used to wrap and underlying connection which may be speaking the Proxy Protocol. If it is, the RemoteAddr() will return the address of the client instead of the proxy address.
func NewConn ¶
NewConn is used to wrap a net.Conn that may be speaking the proxy protocol into a proxyproto.Conn
func (*Conn) Read ¶
Read is check for the proxy protocol header when doing the initial scan. If there is an error parsing the header, it is returned and the socket is closed.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the address of the client if the proxy protocol is being used, otherwise just returns the address of the socket peer. If there is an error parsing the header, the address of the client is not returned, and the socket is closed. Once implication of this is that the call could block if the client is slow. Using a Deadline is recommended if this is called before Read()
func (*Conn) SetReadDeadline ¶
SetReadDeadline reads a field.
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline sets a field.
type Dialer ¶
Dialer wraps a dialer with proxy protocol header injection.
func NewDialer ¶
func NewDialer(opts ...DialerOption) *Dialer
NewDialer returns a new proxy protocol dialer.
type DialerOption ¶
type DialerOption func(*Dialer)
DialerOption mutates a dialer.
func OptDialerConstSourceAdddr ¶
func OptDialerConstSourceAdddr(addr net.Addr) DialerOption
OptDialerConstSourceAdddr sets the header provider to be a constant source.
func OptDialerHeaderProvider ¶
OptDialerHeaderProvider sets the header provider.
type Header ¶
type Header struct { Version byte Command ProtocolVersionAndCommand TransportProtocol AddressFamilyAndProtocol SourceAddr net.Addr DestinationAddr net.Addr // contains filtered or unexported fields }
Header is the placeholder for proxy protocol header.
func (*Header) EqualTo ¶
EqualTo returns true if headers are equivalent, false otherwise. Deprecated: use EqualsTo instead. This method will eventually be removed.
func (*Header) SetTLVs ¶
SetTLVs sets the TLVs stored in this header. This method replaces any previous TLV.
func (*Header) TLVs ¶
TLVs returns the TLVs stored into this header, if they exist. TLVs are optional for v2 of the protocol.
type Listener ¶
type Listener struct { Listener net.Listener ProxyHeaderTimeout time.Duration SourceCheck SourceChecker }
Listener is used to wrap an underlying listener, whose connections may be using the HAProxy Proxy Protocol (version 1). If the connection is using the protocol, the RemoteAddr() will return the correct client address.
Optionally define ProxyHeaderTimeout to set a maximum time to receive the Proxy Protocol Header. Zero means no timeout.
type ProtocolVersionAndCommand ¶
type ProtocolVersionAndCommand byte
ProtocolVersionAndCommand represents the command in proxy protocol v2. Command doesn't exist in v1 but it should be set since other parts of this library may rely on it for determining connection details.
const ( // ProtocolVersionAndCommandLocal represents the ProtocolVersionAndCommandLocal command in v2 or UNKNOWN transport in v1, // in which case no address information is expected. ProtocolVersionAndCommandLocal ProtocolVersionAndCommand = '\x20' // ProtocolVersionAndCommandProxy represents the PROXY command in v2 or transport is not UNKNOWN in v1, // in which case valid local/remote address and port information is expected. ProtocolVersionAndCommandProxy ProtocolVersionAndCommand = '\x21' )
func (ProtocolVersionAndCommand) IsLocal ¶
func (pvc ProtocolVersionAndCommand) IsLocal() bool
IsLocal returns true if the command in v2 is ProtocolVersionAndCommandLocal or the transport in v1 is UNKNOWN, i.e. when no address information is expected, false otherwise.
func (ProtocolVersionAndCommand) IsProxy ¶
func (pvc ProtocolVersionAndCommand) IsProxy() bool
IsProxy returns true if the command in v2 is PROXY or the transport in v1 is not UNKNOWN, i.e. when valid local/remote address and port information is expected, false otherwise.
func (ProtocolVersionAndCommand) IsUnspec ¶
func (pvc ProtocolVersionAndCommand) IsUnspec() bool
IsUnspec returns true if the command is unspecified, false otherwise.
type SourceChecker ¶
SourceChecker can be used to decide whether to trust the PROXY info or pass the original connection address through. If set, the connecting address is passed in as an argument. If the function returns an error due to the source being disallowed, it should return ErrInvalidUpstream.
Behavior is as follows: * If error is not nil, the call to Accept() will fail. If the reason for triggering this failure is due to a disallowed source, it should return ErrInvalidUpstream. * If bool is true, the PROXY-set address is used. * If bool is false, the connection's remote address is used, rather than the address claimed in the PROXY info.