[connection] add PROXY parser (haproxy protocol)

https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt

Change-Id: I85b28705a74686d9beee04751e8831119be2a228

Author: stbuehler

doc/plugin_core.xml

@@ -105,6 +105,15 @@
 				Some clients don't send Content-Length for POST requests with empty body; they should send `Content-Length: 0`.  When this check is enabled they'll get a `411 Length required` error.
 			</markdown></description>
 		</option>
+		<option name="proxy_protocol.tlv_max_length">
+			<short>maximum length of TLV parameters in PROXY v2 headers</short>
+			<default><value>-1</value></default>
+			<description><markdown><![CDATA[
+				Maximum length of TLV section (after address data) in PROXY v2 headers. `-1` means no limit but also doesn't store it.
+
+				Also see <https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt>.
+			]]></markdown></description>
+		</option>
 
 		<option name="static.exclude_extensions">
 			<short>don't deliver static files with one of the listed extensions</short>
@@ -628,6 +637,25 @@
 		</action>
 	</section>
 
+	<action name="proxy_protocol.trust">
+		<short>Trust PROXY header</short>
+
+		<description><markdown>
+			When a [PROXY header](https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt) was present and contained addresses, replace the `request.local*` and `request.remote*` variables with those from the PROXY header.
+
+			This only triggers once per connection, and should be done early in the config (so it happens for the first request); the new addresses are used for the following requests too (they are stored per connection).
+
+			You only should trust the PROXY header on connections from trusted IPs.
+		</markdown></description>
+		<example>
+			<config>
+				if request.remoteip == "198.51.100.1" or request.remoteip == "127.0.0.1" {
+					proxy_protocol.trust;
+				}
+			</config>
+		</example>
+	</action>
+
 	<action name="io.buffer_out">
 		<short>set memory limit for outgoing chunkqueues (default is 256KiB)</short>
 		<parameter name="limit">

include/lighttpd/base.h

@@ -21,6 +21,7 @@
 #include <lighttpd/stream.h>
 #include <lighttpd/filter.h>
 #include <lighttpd/filter_chunked.h>
+#include <lighttpd/proxy_protocol.h>
 #include <lighttpd/radix.h>
 #include <lighttpd/fetch.h>
 

include/lighttpd/connection.h

@@ -64,6 +64,7 @@ struct liConnection {
 
 	liStream in, out;
 	liFilterChunkedDecodeState in_chunked_decode_state;
+	liConnectionProxyProtocolFilter proxy_protocol_filter;
 
 	liVRequest *mainvr;
 	liHttpRequestCtx req_parser_ctx;

include/lighttpd/plugin_core.h

@@ -20,6 +20,8 @@ enum liCoreOptions {
 	LI_CORE_OPTION_BUFFER_ON_DISK_REQUEST_BODY,
 
 	LI_CORE_OPTION_STRICT_POST_CONTENT_LENGTH,
+
+	LI_CORE_OPTION_PROXY_PROTOCOL_TLV_MAX_LENGTH,
 };
 
 enum liCoreOptionPtrs {

include/lighttpd/proxy_protocol.h

@@ -0,0 +1,58 @@
+/* proxy protocol filter:
+ * https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt
+ */
+
+#ifndef _LIGHTTPD_PROXY_PROTOCOL_H_
+#define _LIGHTTPD_PROXY_PROTOCOL_H_
+
+#ifndef _LIGHTTPD_BASE_H_
+#error Please include <lighttpd/base.h> instead of this file
+#endif
+
+typedef enum {
+	LI_PROXY_PROT_TRANSPORT_UNSPEC = 0x00,
+	LI_PROXY_PROT_TRANSPORT_STREAM = 0x01,
+	LI_PROXY_PROT_TRANSPORT_DGRAM = 0x02,
+} liProxyProtTransport;
+#define LI_PROXY_PROT_TRANSPORT_MAX ((unsigned char)LI_PROXY_PROT_TRANSPORT_DGRAM)
+
+typedef struct liProxyProtocolData liProxyProtocolData;
+struct liProxyProtocolData {
+	guint version;
+	liProxyProtTransport transport;
+	liSocketAddress remote;
+	liSocketAddress local;
+
+	guint skip_bytes;
+	guint remaining_tlv_bytes;
+
+	GByteArray *tlvs;
+};
+
+LI_API void li_proxy_protocol_data_init(liProxyProtocolData *data);
+LI_API void li_proxy_protocol_data_clear(liProxyProtocolData *data);
+
+typedef enum {
+	LI_PROXY_PROTOCOL_PARSE_NEED_MORE_DATA = -2,
+	LI_PROXY_PROTOCOL_PARSE_ERROR = -1,
+	LI_PROXY_PROTOCOL_PARSE_DONE = 0,
+} liProxyProtocolParseResult;
+
+LI_API liProxyProtocolParseResult li_proxy_protocol_parse(
+	liVRequest *vr,  /* probably con->mainvr, needed for logging and options */
+	liProxyProtocolData *data,
+	unsigned char *header,
+	gssize header_len
+);
+
+
+/* liConnection integration */
+typedef struct liConnectionProxyProtocolFilter liConnectionProxyProtocolFilter;
+struct liConnectionProxyProtocolFilter {
+	liStream stream;
+	gboolean done;
+};
+
+LI_API void li_connection_proxy_protocol_init(liConnection *con);
+
+#endif

include/lighttpd/virtualrequest.h

@@ -54,6 +54,9 @@ struct liConInfo {
 	gboolean keep_alive;
 	gboolean aborted; /* network aborted connection before response was sent completely */
 
+	gboolean proxy_prot_used;
+	liProxyProtocolData proxy_prot_data;
+
 	liStream *req;
 	liStream *resp;
 

src/main/connection.c

@@ -33,7 +33,10 @@ static void li_connection_reset2(liConnection *con); /* reset when dead and stre
 static void connection_check_reset(liJob *job) {
 	liConnection *con = LI_CONTAINER_OF(job, liConnection, job_reset);
 
-	if (LI_CON_STATE_DEAD == con->state && (0 == con->in.refcount) && (0 == con->out.refcount)) {
+	if (LI_CON_STATE_DEAD == con->state
+	    && (0 == con->in.refcount) && (0 == con->out.refcount)
+	    && (0 == con->proxy_protocol_filter.stream.refcount)
+	) {
 		li_connection_reset2(con);
 		li_worker_con_put(con);
 	}
@@ -371,6 +374,7 @@ void li_connection_start(liConnection *con, liSocketAddress remote_addr, int s,
 
 	li_stream_init(&con->in, &con->wrk->loop, _connection_http_in_cb);
 	li_stream_init(&con->out, &con->wrk->loop, _connection_http_out_cb);
+	li_connection_proxy_protocol_init(con);
 
 	con->info.req = &con->in;
 	con->info.resp = &con->out;
@@ -570,13 +574,15 @@ void li_connection_reset(liConnection *con) {
 		con_iostream_close(con, TRUE);
 		li_stream_reset(&con->in);
 		li_stream_reset(&con->out);
+		li_stream_reset(&con->proxy_protocol_filter.stream);
 
 		/* keep details of last request around until final cleanup in li_connection_reset2;
 		 * don't actually do any "keepalive" here */
 		li_vrequest_reset(con->mainvr, TRUE);
 
 		li_stream_release(&con->in);
 		li_stream_release(&con->out);
+		li_stream_release(&con->proxy_protocol_filter.stream);
 
 		con->info.keep_alive = TRUE;
 		if (con->keep_alive_data.link) {
@@ -609,6 +615,9 @@ static void li_connection_reset2(liConnection *con) {
 	li_stream_reset(&con->in);
 	li_stream_reset(&con->out);
 
+	con->info.proxy_prot_used = FALSE;
+	li_proxy_protocol_data_clear(&con->info.proxy_prot_data);
+
 	li_vrequest_reset(con->mainvr, FALSE);
 
 	li_http_request_parser_reset(&con->req_parser_ctx);

src/main/connection_http.c

@@ -76,7 +76,8 @@ gboolean li_connection_http_new(liConnection *con, int fd) {
 	con->con_sock.data = data;
 	con->con_sock.callbacks = &simple_tcp_cbs;
 	con->con_sock.raw_out = &data->sock_stream->stream_out;
-	con->con_sock.raw_in = &data->sock_stream->stream_in;
+	li_stream_connect(&data->sock_stream->stream_in, &con->proxy_protocol_filter.stream);
+	con->con_sock.raw_in = &con->proxy_protocol_filter.stream;
 	li_stream_acquire(con->con_sock.raw_out);
 	li_stream_acquire(con->con_sock.raw_in);
 

src/main/meson.build

@@ -27,6 +27,7 @@ src_shared = [
   'options.c',
   'pattern.c',
   'plugin.c',
+  'proxy_protocol.c',
   'request.c',
   'response.c',
   'server.c',

src/main/plugin_core.c

@@ -2030,6 +2030,52 @@ static liAction* core_map_cidr(liServer *srv, liWorker *wrk, liPlugin* p, liValu
 	return li_action_new_function(core_handle_map_cidr, NULL, core_map_cidr_free, md);
 }
 
+static liHandlerResult core_handle_proxy_prot_trust(liVRequest *vr, gpointer param, gpointer *context) {
+	liConInfo *coninfo = vr->coninfo;
+	UNUSED(param);
+	UNUSED(context);
+
+	if (coninfo->proxy_prot_used) return LI_HANDLER_GO_ON;
+
+	coninfo->proxy_prot_used = TRUE; /* don't try again */
+
+	if (0 == coninfo->proxy_prot_data.version) {
+		if (CORE_OPTION(LI_CORE_OPTION_DEBUG_REQUEST_HANDLING).boolean) {
+			VR_DEBUG(vr, "%s", "No PROXY header present");
+		}
+		return LI_HANDLER_GO_ON;
+	}
+
+	if (0 == coninfo->proxy_prot_data.remote.len || 0 == coninfo->proxy_prot_data.local.len) {
+		if (CORE_OPTION(LI_CORE_OPTION_DEBUG_REQUEST_HANDLING).boolean) {
+			VR_DEBUG(vr, "%s", "No addresses in PROXY header");
+		}
+		return LI_HANDLER_GO_ON;
+	}
+
+	li_sockaddr_clear(&coninfo->remote_addr);
+	coninfo->remote_addr = li_sockaddr_dup(coninfo->proxy_prot_data.remote);
+	li_sockaddr_to_string(coninfo->remote_addr, coninfo->remote_addr_str, FALSE);
+
+	li_sockaddr_clear(&coninfo->local_addr);
+	coninfo->local_addr = li_sockaddr_dup(coninfo->proxy_prot_data.local);
+	li_sockaddr_to_string(coninfo->local_addr, coninfo->local_addr_str, FALSE);
+
+	return LI_HANDLER_GO_ON;
+}
+
+static liAction* core_proxy_prot_trust(liServer *srv, liWorker *wrk, liPlugin* p, liValue *val, gpointer userdata) {
+	UNUSED(wrk); UNUSED(p); UNUSED(userdata);
+
+	val = li_value_get_single_argument(val);
+	if (NULL != val) {
+		ERROR(srv, "%s", "'proxy_protocol.trust' action doesn't take any parameters");
+		return NULL;
+	}
+
+	return li_action_new_function(core_handle_proxy_prot_trust, NULL, NULL, NULL);
+}
+
 static void fetch_files_static_lookup(liFetchDatabase* db, gpointer data, liFetchEntry *entry) {
 	GHashTable *stringdb = (GHashTable*) data;
 	UNUSED(db);
@@ -2217,6 +2263,8 @@ static const liPluginOption options[] = {
 
 	{ "strict.post_content_length", LI_VALUE_BOOLEAN, TRUE, NULL },
 
+	{ "proxy_protocol.tlv_max_length", LI_VALUE_NUMBER, -1, NULL },
+
 	{ NULL, 0, 0, NULL }
 };
 
@@ -2270,6 +2318,8 @@ static const liPluginAction actions[] = {
 	{ "map", core_map, NULL },
 	{ "map_cidr", core_map_cidr, NULL },
 
+	{ "proxy_protocol.trust", core_proxy_prot_trust, NULL },
+
 	{ NULL, NULL, NULL }
 };