feat(helm): disable proxy protocol by default for tls/web tunnels

ggguardian · ggguardian · commit f0e5c87f26c0 · 2025-03-25T02:04:12.000+01:00
diff --git a/helm/ggbridge/README.md b/helm/ggbridge/README.md
@@ -168,7 +168,7 @@ A Helm chart for installing ggbridge
 | proxy.updateStrategy.rollingUpdate.maxSurge | int | `1` |  |
 | proxy.updateStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | proxy.updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy |
-| proxyProtocol.enabled | bool | `false` | When true, enables proxy protocol v2 for tcp tunnels |
+| proxyProtocol.enabled | bool | `false` | When true, enables proxy protocol v2 for web/tls tunnels |
 | replicaCount | int | `1` | Number of pods for each deployment |
 | resources.limits | object | `{}` | Set container limits |
 | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Set container requests |
diff --git a/helm/ggbridge/templates/client/deployment.yaml b/helm/ggbridge/templates/client/deployment.yaml
@@ -128,6 +128,8 @@ spec:
             - name: LOG_LEVEL
               value: {{ . | quote }}
             {{- end }}
+            - name: PROXY_PROTOCOL_ENABLED
+              value: {{ $.Values.proxyProtocol.enabled | quote }}
             - name: TUNNEL_SOCKS_ENABLED
               value: {{ $.Values.client.tunnels.socks.enabled | quote }}
             - name: TUNNEL_TLS_ENABLED
diff --git a/helm/ggbridge/values.yaml b/helm/ggbridge/values.yaml
@@ -124,7 +124,7 @@ logLevel: INFO
 dnsResolver: ""
 
 proxyProtocol:
-  # -- When true, enables proxy protocol v2 for tcp tunnels
+  # -- When true, enables proxy protocol v2 for web/tls tunnels
   enabled: false
 
 caBundle:
diff --git a/main.go b/main.go
@@ -120,6 +120,7 @@ func buildClientCommand() []string {
 	connectionMinIdle := getEnv("CONNECTION_MIN_IDLE", "0")
 	dnsResolver := os.Getenv("DNS_RESOLVER")
 	tlsEnabled, err := strconv.ParseBool(getEnv("TLS_ENABLED", "false"))
+	proxyProtocolEnabled, err := strconv.ParseBool(getEnv("PROXY_PROTOCOL_ENABLED", "false"))
 	if err != nil {
 		log.Fatalf("Invalid boolean for tlsEnabled: %s", err)
 	}
@@ -213,12 +214,24 @@ func buildClientCommand() []string {
 
 	// Enables client to server tcp tunnel
 	if tunnelTlsEnabled {
-		cmd = append(cmd, "--local-to-remote", fmt.Sprintf("tcp://0.0.0.0:%s:127.0.0.1:%s?proxy_protocol", tunnelTlsPort, tunnelTlsRemotePort))
+		target := fmt.Sprintf("tcp://0.0.0.0:%s:127.0.0.1:%s", tunnelTlsPort, tunnelTlsRemotePort)
+
+		if proxyProtocolEnabled {
+			target += "?proxy_protocol"
+		}
+
+		cmd = append(cmd, "--local-to-remote", target)
 	}
 
 	// Enables client to server web tunnel
 	if tunnelWebEnabled {
-		cmd = append(cmd, "--local-to-remote", fmt.Sprintf("tcp://127.0.0.1:%s:127.0.0.1:%s?proxy_protocol", tunnelWebPort, tunnelWebRemotePort))
+		target := fmt.Sprintf("tcp://127.0.0.1:%s:127.0.0.1:%s", tunnelWebPort, tunnelWebRemotePort)
+
+		if proxyProtocolEnabled {
+			target += "?proxy_protocol"
+		}
+
+		cmd = append(cmd, "--local-to-remote", target)
 	}
 
 	// Enables server to client proxy tunnel
