Merge pull request #173 from Castaglia/proxy-protocolv2-issue151

Issue #151: Implement support for the PROXY V2 protocol.

Author: Castaglia

include/proxy/conn.h

@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy conn API
- * Copyright (c) 2012-2016 TJ Saunders
+ * Copyright (c) 2012-2020 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -45,7 +45,8 @@ const char *proxy_conn_get_uri(const struct proxy_conn *pconn);
 const char *proxy_conn_get_username(const struct proxy_conn *pconn);
 const char *proxy_conn_get_password(const struct proxy_conn *pconn);
 int proxy_conn_get_tls(const struct proxy_conn *pconn);
-int proxy_conn_send_proxy(pool *p, conn_t *conn);
+int proxy_conn_send_proxy_v1(pool *p, conn_t *conn);
+int proxy_conn_send_proxy_v2(pool *p, conn_t *conn);
 void proxy_conn_free(const struct proxy_conn *pconn);
 
 #endif /* MOD_PROXY_CONN_H */

lib/proxy/conn.c

@@ -24,6 +24,10 @@
 
 #include "mod_proxy.h"
 
+#ifdef HAVE_SYS_UIO_H
+# include <sys/uio.h>
+#endif /* HAVE_SYS_UIO_H */
+
 #include "proxy/conn.h"
 #include "proxy/netio.h"
 #include "proxy/inet.h"
@@ -60,6 +64,16 @@ static const char *supported_protocols[] = {
   NULL
 };
 
+/* PROXY protocol V2 */
+#define PROXY_PROTOCOL_V2_SIGLEN		12
+#define PROXY_PROTOCOL_V2_HDRLEN		16
+#define PROXY_PROTOCOL_V2_TRANSPORT_STREAM	0x01
+#define PROXY_PROTOCOL_V2_FAMILY_INET		0x10
+#define PROXY_PROTOCOL_V2_FAMILY_INET6		0x20
+#define PROXY_PROTOCOL_V2_ADDRLEN_INET		(4 + 4 + 2 + 2)
+#define PROXY_PROTOCOL_V2_ADDRLEN_INET6		(16 + 16 + 2 + 2)
+static uint8_t proxy_protocol_v2_sig[PROXY_PROTOCOL_V2_SIGLEN] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
+
 static const char *trace_channel = "proxy.conn";
 
 static int supported_protocol(const char *proto) {
@@ -457,7 +471,8 @@ conn_t *proxy_conn_get_server_conn(pool *p, struct proxy_session *proxy_sess,
     pr_netio_stream_t *nstrm;
     int connected = FALSE, nstrm_mode = PR_NETIO_IO_RD;
 
-    if (proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL) {
+    if ((proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL_V1) ||
+        (proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL_V2)) {
       /* Rather than waiting for the stream to be readable (because the
        * other end sent us something), wait for the stream to be writable
        * so that we can send something to the other end).
@@ -595,7 +610,7 @@ const char *proxy_conn_get_uri(const struct proxy_conn *pconn) {
   return pconn->pconn_uri;
 }
 
-int proxy_conn_send_proxy(pool *p, conn_t *conn) {
+int proxy_conn_send_proxy_v1(pool *p, conn_t *conn) {
   int res, src_port, dst_port;
   const char *proto, *src_ipstr, *dst_ipstr;
   pool *sub_pool = NULL;
@@ -664,7 +679,7 @@ int proxy_conn_send_proxy(pool *p, conn_t *conn) {
   }
 
   pr_trace_msg(trace_channel, 9,
-    "sending proxy protocol message: 'PROXY %s %s %s %d %d' to backend",
+    "sending PROXY protocol V1 message: 'PROXY %s %s %s %d %d' to backend",
     proto, src_ipstr, dst_ipstr, src_port, dst_port);
 
   res = proxy_netio_printf(conn->outstrm, "PROXY %s %s %s %d %d\r\n",
@@ -676,3 +691,151 @@ int proxy_conn_send_proxy(pool *p, conn_t *conn) {
 
   return res;
 }
+
+static int writev_conn(conn_t *conn, const struct iovec *iov, int iov_count) {
+  int res, xerrno;
+
+  if (pr_netio_poll(conn->outstrm) < 0) {
+    return -1;
+  }
+
+  res = writev(conn->wfd, iov, iov_count);
+  xerrno = errno;
+
+  while (res <= 0) {
+    if (res < 0) {
+      if (xerrno == EINTR) {
+        pr_signals_handle();
+
+        if (pr_netio_poll(conn->outstrm) < 0) {
+          return -1;
+        }
+
+        res = writev(conn->wfd, iov, iov_count);
+        xerrno = errno;
+
+        continue;
+      }
+
+      pr_trace_msg(trace_channel, 16,
+        "error writing to client (fd %d): %s", conn->wfd, strerror(xerrno));
+      errno = errno;
+      return -1;
+    }
+  }
+
+  session.total_raw_out += res;
+  return res;
+}
+
+int proxy_conn_send_proxy_v2(pool *p, conn_t *conn) {
+  int res, xerrno;
+  uint8_t ver_cmd, trans_fam, src_ipv6[16], dst_ipv6[16];
+  uint16_t v2_len, src_port, dst_port;
+  uint32_t src_ipv4, dst_ipv4;
+  struct iovec v2_hdr[8];
+  pool *sub_pool = NULL;
+  char *proto;
+  const pr_netaddr_t *src_addr = NULL, *dst_addr = NULL;
+
+  if (p == NULL ||
+      conn == NULL) {
+    errno = EINVAL;
+    return -1;
+  }
+
+  v2_hdr[0].iov_base = (void *) proxy_protocol_v2_sig;
+  v2_hdr[0].iov_len = PROXY_PROTOCOL_V2_SIGLEN;
+
+  /* PROXY protocol v2 + PROXY command */
+  ver_cmd = (0x20|0x01);
+  v2_hdr[1].iov_base = (void *) &ver_cmd;
+  v2_hdr[1].iov_len = sizeof(ver_cmd);
+
+  src_addr = session.c->remote_addr;
+  dst_addr = session.c->local_addr;
+
+  if (pr_netaddr_get_family(src_addr) == AF_INET &&
+      pr_netaddr_get_family(dst_addr) == AF_INET) {
+    struct sockaddr_in *saddr;
+
+    proto = "TCP/IPv4";
+    trans_fam = (PROXY_PROTOCOL_V2_TRANSPORT_STREAM|PROXY_PROTOCOL_V2_FAMILY_INET);
+    v2_len = PROXY_PROTOCOL_V2_ADDRLEN_INET;
+
+    saddr = (struct sockaddr_in *) pr_netaddr_get_sockaddr(src_addr);
+    src_ipv4 = saddr->sin_addr.s_addr;
+    v2_hdr[4].iov_base = (void *) &src_ipv4;
+    v2_hdr[4].iov_len = sizeof(src_ipv4);
+
+    saddr = (struct sockaddr_in *) pr_netaddr_get_sockaddr(dst_addr);
+    dst_ipv4 = saddr->sin_addr.s_addr;
+    v2_hdr[5].iov_base = (void *) &dst_ipv4;
+    v2_hdr[5].iov_len = sizeof(dst_ipv4);
+
+    /* Quell compiler warnings about unused variables. */
+    (void) src_ipv6;
+    (void) dst_ipv6;
+
+  } else {
+    struct sockaddr_in6 *saddr;
+
+    proto = "TCP/IPv6";
+    trans_fam = (PROXY_PROTOCOL_V2_TRANSPORT_STREAM|PROXY_PROTOCOL_V2_FAMILY_INET6);
+    v2_len = PROXY_PROTOCOL_V2_ADDRLEN_INET6;
+
+    sub_pool = make_sub_pool(p);
+
+    if (pr_netaddr_get_family(src_addr) == AF_INET) {
+      src_addr = pr_netaddr_v4tov6(sub_pool, src_addr);
+    }
+
+    saddr = (struct sockaddr_in6 *) pr_netaddr_get_sockaddr(src_addr);
+    memcpy(&src_ipv6, &(saddr->sin6_addr), sizeof(src_ipv6));
+    v2_hdr[4].iov_base = (void *) &src_ipv6;
+    v2_hdr[4].iov_len = sizeof(src_ipv6);
+
+    if (pr_netaddr_get_family(dst_addr) == AF_INET) {
+      dst_addr = pr_netaddr_v4tov6(sub_pool, dst_addr);
+    }
+
+    saddr = (struct sockaddr_in6 *) pr_netaddr_get_sockaddr(dst_addr);
+    memcpy(&dst_ipv6, &(saddr->sin6_addr), sizeof(dst_ipv6));
+    v2_hdr[5].iov_base = (void *) &dst_ipv6;
+    v2_hdr[5].iov_len = sizeof(dst_ipv6);
+
+    /* Quell compiler warnings about unused variables. */
+    (void) src_ipv4;
+    (void) dst_ipv4;
+  }
+
+  v2_hdr[2].iov_base = (void *) &trans_fam;
+  v2_hdr[2].iov_len = sizeof(trans_fam);
+
+  v2_len = htons(v2_len);
+  v2_hdr[3].iov_base = (void *) &v2_len;
+  v2_hdr[3].iov_len = sizeof(v2_len);
+
+  src_port = htons(session.c->remote_port);
+  v2_hdr[6].iov_base = (void *) &src_port;
+  v2_hdr[6].iov_len = sizeof(src_port);
+
+  dst_port = htons(session.c->local_port);
+  v2_hdr[7].iov_base = (void *) &dst_port;
+  v2_hdr[7].iov_len = sizeof(dst_port);
+
+  pr_trace_msg(trace_channel, 9,
+    "sending PROXY protocol V2 message for %s %s#%u %s#%u to backend",
+    proto, pr_netaddr_get_ipstr(src_addr), (unsigned int) ntohs(src_port),
+    pr_netaddr_get_ipstr(dst_addr), (unsigned int) ntohs(dst_port));
+
+  res = writev_conn(conn, v2_hdr, 8);
+  xerrno = errno;
+
+  if (sub_pool != NULL) {
+    destroy_pool(sub_pool);
+  }
+
+  errno = xerrno;
+  return res;
+}

lib/proxy/reverse.c

@@ -765,15 +765,29 @@ static int reverse_try_connect(pool *p, struct proxy_session *proxy_sess,
     return -1;
   }
 
-  if (proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL) {
+  if (proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL_V1) {
     pr_trace_msg(trace_channel, 17,
-      "sending PROXY protocol message to %s#%u",
+      "sending PROXY V1 protocol message to %s#%u",
       pr_netaddr_get_ipstr(server_conn->remote_addr),
       ntohs(pr_netaddr_get_port(server_conn->remote_addr)));
 
-    if (proxy_conn_send_proxy(p, server_conn) < 0) {
+    if (proxy_conn_send_proxy_v1(p, server_conn) < 0) {
       (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
-        "error sending PROXY message to %s#%u: %s",
+        "error sending PROXY V1 message to %s#%u: %s",
+        pr_netaddr_get_ipstr(server_conn->remote_addr),
+        ntohs(pr_netaddr_get_port(server_conn->remote_addr)),
+        strerror(errno));
+    }
+
+  } else if (proxy_opts & PROXY_OPT_USE_PROXY_PROTOCOL_V2) {
+    pr_trace_msg(trace_channel, 17,
+      "sending PROXY V2 protocol message to %s#%u",
+      pr_netaddr_get_ipstr(server_conn->remote_addr),
+      ntohs(pr_netaddr_get_port(server_conn->remote_addr)));
+
+    if (proxy_conn_send_proxy_v2(p, server_conn) < 0) {
+      (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
+        "error sending PROXY V2 message to %s#%u: %s",
         pr_netaddr_get_ipstr(server_conn->remote_addr),
         ntohs(pr_netaddr_get_port(server_conn->remote_addr)),
         strerror(errno));

mod_proxy.c

@@ -763,8 +763,12 @@ MODRET set_proxyoptions(cmd_rec *cmd) {
   c = add_config_param(cmd->argv[0], 1, NULL);
 
   for (i = 1; i < cmd->argc; i++) {
-    if (strcmp(cmd->argv[i], "UseProxyProtocol") == 0) {
-      opts |= PROXY_OPT_USE_PROXY_PROTOCOL;
+    if (strcmp(cmd->argv[i], "UseProxyProtocol") == 0 ||
+        strcmp(cmd->argv[i], "UseProxyProtocolV1") == 0) {
+      opts |= PROXY_OPT_USE_PROXY_PROTOCOL_V1;
+
+    } else if (strcmp(cmd->argv[i], "UseProxyProtocolV2") == 0) {
+      opts |= PROXY_OPT_USE_PROXY_PROTOCOL_V2;
 
     } else if (strcmp(cmd->argv[i], "ShowFeatures") == 0) {
       opts |= PROXY_OPT_SHOW_FEATURES;

mod_proxy.h.in

@@ -66,11 +66,12 @@
 #endif
 
 /* mod_proxy option flags */
-#define PROXY_OPT_USE_PROXY_PROTOCOL		0x0001
+#define PROXY_OPT_USE_PROXY_PROTOCOL_V1		0x0001
 #define PROXY_OPT_SHOW_FEATURES			0x0002
 #define PROXY_OPT_USE_REVERSE_PROXY_AUTH	0x0004
 #define PROXY_OPT_USE_DIRECT_DATA_TRANSFERS	0x0008
 #define PROXY_OPT_IGNORE_CONFIG_PERMS		0x0010
+#define PROXY_OPT_USE_PROXY_PROTOCOL_V2		0x0020
 
 /* mod_proxy datastores */
 #define PROXY_DATASTORE_SQLITE			1

mod_proxy.html

@@ -455,7 +455,7 @@ <h3><a name="ProxyOptions">ProxyOptions</a></h3>
 The <code>ProxyOptions</code> directive is used to configure various optional
 behavior of <code>mod_proxy</code>.  For example:
 <pre>
-  ProxyOptions UseProxyProtocol
+  ProxyOptions UseProxyProtocolV1
 </pre>
 
 <p>
@@ -488,10 +488,10 @@ <h3><a name="ProxyOptions">ProxyOptions</a></h3>
   </li>
 
   <p>
-  <li><code>UseProxyProtocol</code><br>
+  <li><code>UseProxyProtocolV1</code><br>
     <p>
     When <code>mod_proxy</code> connects to the backend/destination server,
-    use the <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"><code>PROXY</code></a> protocol, sending the human-readable <code>PROXY</code>
+    use the <a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt"><code>PROXY</code></a> V1 protocol, sending the human-readable <code>PROXY</code>
     command to the destination server.  This allows backend servers to implement
     access controls/logging, based on the IP address of the connecting client.
     The <a href="https://github.com/Castaglia/proftpd-mod_proxy_protocol"><code>mod_proxy_protocol</code></a>
@@ -501,11 +501,30 @@ <h3><a name="ProxyOptions">ProxyOptions</a></h3>
 
     <p>
     <b>Note</b>: do <b>not</b> use this option unless the backend server
-    <em>does</em> support the <code>PROXY</code> protocol.  Otherwise, the
+    <em>does</em> support the <code>PROXY</code> V1 protocol.  Otherwise, the
     <code>PROXY</code> protocol message will only confuse the backend server,
     possibly leading to connection/login failures.
   </li>
 
+  <p>
+  <li><code>UseProxyProtocolV2</code><br>
+    <p>
+    When <code>mod_proxy</code> connects to the backend/destination server,
+    use the <a href="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt"><code>PROXY</code></a> V2 protocol, sending a binary-encoded "PROXY" command
+    to the destination server.  This allows backend servers to implement
+    access controls/logging, based on the IP address of the connecting client.
+    The <a href="https://github.com/Castaglia/proftpd-mod_proxy_protocol"><code>mod_proxy_protocol</code></a>
+    ProFTPD module can be used to handle the "PROXY" command on the receiving
+    side, <i>i.e.</i> when using <code>proftpd</code> as the
+    backend/destination server.
+
+    <p>
+    <b>Note</b>: do <b>not</b> use this option unless the backend server
+    <em>does</em> support the <code>PROXY</code> V2 protocol.  Otherwise, the
+    "PROXY" protocol message will only confuse the backend server, possibly
+    leading to connection/login failures.
+  </li>
+
   <p>
   <li><code>UseReverseProxyAuth</code><br>
     <p>