fix(helm): fix proxy protocol handling

Author: ggguardian

helm/ggbridge/README.md

@@ -168,7 +168,7 @@ A Helm chart for installing ggbridge
 | proxy.updateStrategy.rollingUpdate.maxSurge | int | `1` |  |
 | proxy.updateStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | proxy.updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy |
-| proxyProtocol.enabled | bool | `false` | When true, enables proxy protocol v2 for tcp tunnels |
+| proxyProtocol.enabled | bool | `true` | When true, enables proxy protocol v2 for web/tls tunnels |
 | replicaCount | int | `1` | Number of pods for each deployment |
 | resources.limits | object | `{}` | Set container limits |
 | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Set container requests |

helm/ggbridge/files/nginx.conf

@@ -57,7 +57,7 @@ http {
 
     # web proxy server
     server {
-        listen {{ .Values.proxy.service.ports.web.containerPort }} {{ ternary "proxy_protocol" "" .Values.proxyProtocol.enabled }};
+        listen {{ .Values.proxy.service.ports.web.containerPort }};
 
         access_log /dev/stdout web;
 

helm/ggbridge/templates/client/deployment.yaml

@@ -128,6 +128,8 @@ spec:
             - name: LOG_LEVEL
               value: {{ . | quote }}
             {{- end }}
+            - name: PROXY_PROTOCOL_ENABLED
+              value: {{ $.Values.proxyProtocol.enabled | quote }}
             - name: TUNNEL_SOCKS_ENABLED
               value: {{ $.Values.client.tunnels.socks.enabled | quote }}
             - name: TUNNEL_TLS_ENABLED

helm/ggbridge/values.yaml

@@ -124,8 +124,8 @@ logLevel: INFO
 dnsResolver: ""
 
 proxyProtocol:
-  # -- When true, enables proxy protocol v2 for tcp tunnels
-  enabled: false
+  # -- When true, enables proxy protocol v2 for web/tls tunnels
+  enabled: true
 
 caBundle:
   # -- Specify CA certificates to inject (PEM format)

main.go

@@ -120,6 +120,7 @@ func buildClientCommand() []string {
 	connectionMinIdle := getEnv("CONNECTION_MIN_IDLE", "0")
 	dnsResolver := os.Getenv("DNS_RESOLVER")
 	tlsEnabled, err := strconv.ParseBool(getEnv("TLS_ENABLED", "false"))
+	proxyProtocolEnabled, err := strconv.ParseBool(getEnv("PROXY_PROTOCOL_ENABLED", "false"))
 	if err != nil {
 		log.Fatalf("Invalid boolean for tlsEnabled: %s", err)
 	}
@@ -213,12 +214,24 @@ func buildClientCommand() []string {
 
 	// Enables client to server tcp tunnel
 	if tunnelTlsEnabled {
-		cmd = append(cmd, "--local-to-remote", fmt.Sprintf("tcp://0.0.0.0:%s:127.0.0.1:%s?proxy_protocol", tunnelTlsPort, tunnelTlsRemotePort))
+		target := fmt.Sprintf("tcp://0.0.0.0:%s:127.0.0.1:%s", tunnelTlsPort, tunnelTlsRemotePort)
+
+		if proxyProtocolEnabled {
+			target += "?proxy_protocol"
+		}
+
+		cmd = append(cmd, "--local-to-remote", target)
 	}
 
 	// Enables client to server web tunnel
 	if tunnelWebEnabled {
-		cmd = append(cmd, "--local-to-remote", fmt.Sprintf("tcp://127.0.0.1:%s:127.0.0.1:%s?proxy_protocol", tunnelWebPort, tunnelWebRemotePort))
+		target := fmt.Sprintf("tcp://127.0.0.1:%s:127.0.0.1:%s", tunnelWebPort, tunnelWebRemotePort)
+
+		if proxyProtocolEnabled {
+			target += "?proxy_protocol"
+		}
+
+		cmd = append(cmd, "--local-to-remote", target)
 	}
 
 	// Enables server to client proxy tunnel