docs: add missing RFC hyperlinks

shaneutt · shaneutt · commit c34721f8431f · 2026-04-26T12:49:13.000-04:00
Signed-off-by: Shane Utt &lt;shaneutt@linux.com&gt;
diff --git a/core/src/config/validate/cluster/health_check.rs b/core/src/config/validate/cluster/health_check.rs
@@ -129,6 +129,12 @@ pub(super) fn validate_health_check_ssrf(
 // -----------------------------------------------------------------------------
 
 /// Returns `true` for IP addresses that are SSRF-sensitive.
+///
+/// Note: [RFC 1918] private ranges (10/8, 172.16/12, 192.168/16)
+/// are intentionally not flagged; only loopback and cloud metadata
+/// addresses are considered sensitive.
+///
+/// [RFC 1918]: https://datatracker.ietf.org/doc/html/rfc1918
 fn is_ssrf_sensitive(ip: &IpAddr) -> bool {
     match ip {
         IpAddr::V4(v4) => v4.is_loopback() || *v4 == std::net::Ipv4Addr::new(169, 254, 169, 254),
diff --git a/core/src/config/validate/cluster/tls.rs b/core/src/config/validate/cluster/tls.rs
@@ -80,16 +80,18 @@ fn validate_sni_length(sni: &str, cluster_name: &str) -> Result<(), ProxyError>
 }
 
 /// Validate each DNS label in the SNI hostname.
+///
+/// Wildcard validation follows [RFC 6125]: `*` is only valid as
+/// the complete leftmost label (e.g. `*.example.com`).
+///
+/// [RFC 6125]: https://datatracker.ietf.org/doc/html/rfc6125
 fn validate_sni_labels(sni: &str, cluster_name: &str) -> Result<(), ProxyError> {
     for (i, label) in sni.split('.').enumerate() {
         if label.is_empty() || label.len() > 63 {
             return Err(ProxyError::Config(format!(
                 "cluster '{cluster_name}': sni has invalid label length"
             )));
         }
-        // RFC 6125 (https://datatracker.ietf.org/doc/html/rfc6125):
-        // wildcard `*` is only valid as the complete leftmost label
-        // (e.g. `*.example.com`).
         if label.contains('*') {
             if label != "*" || i != 0 {
                 return Err(ProxyError::Config(format!(
diff --git a/filter/src/builtins/tcp/traffic_management/sni_router.rs b/filter/src/builtins/tcp/traffic_management/sni_router.rs
@@ -44,7 +44,9 @@ use crate::{
 /// Routes TCP connections by SNI hostname.
 ///
 /// Performs exact-match lookup first, then longest-suffix
-/// wildcard match. Case-insensitive per RFC 4343.
+/// wildcard match. Case-insensitive per [RFC 4343].
+///
+/// [RFC 4343]: https://datatracker.ietf.org/doc/html/rfc4343
 ///
 /// # Example
 ///
diff --git a/protocol/src/http/pingora/handler/request_filter/validation.rs b/protocol/src/http/pingora/handler/request_filter/validation.rs
@@ -1,7 +1,10 @@
 // SPDX-License-Identifier: MIT
 // Copyright (c) 2024 Shane Utt
 
-//! Host header validation and Max-Forwards handling per RFC 9110/9112.
+//! Host header validation and Max-Forwards handling per [RFC 9110]/[RFC 9112].
+//!
+//! [RFC 9110]: https://datatracker.ietf.org/doc/html/rfc9110
+//! [RFC 9112]: https://datatracker.ietf.org/doc/html/rfc9112
 
 use pingora_proxy::Session;
 use praxis_filter::Rejection;
diff --git a/protocol/src/http/pingora/handler/upstream_peer.rs b/protocol/src/http/pingora/handler/upstream_peer.rs
@@ -120,7 +120,9 @@ fn client_cert_from_cached(cached: &praxis_tls::CachedClientCert) -> pingora_cor
 /// Derive an SNI hostname from an `address` string in `host:port` form.
 ///
 /// Returns the host portion if it is a DNS name. Returns an empty string
-/// if the host is an IP address (IP-based SNI is not standard per RFC 6066).
+/// if the host is an IP address (IP-based SNI is not standard per [RFC 6066]).
+///
+/// [RFC 6066]: https://datatracker.ietf.org/doc/html/rfc6066
 fn derive_sni(address: &str) -> String {
     let host = address.rsplit_once(':').map_or(address, |(h, _)| h);
     if host.parse::<std::net::IpAddr>().is_ok() {
diff --git a/tls/src/sni.rs b/tls/src/sni.rs
@@ -41,7 +41,9 @@ const CONTENT_TYPE_HANDSHAKE: u8 = 22;
 /// TLS `HandshakeType` for `ClientHello`.
 const HANDSHAKE_TYPE_CLIENT_HELLO: u8 = 1;
 
-/// TLS extension type for Server Name Indication (RFC 6066).
+/// TLS extension type for Server Name Indication ([RFC 6066]).
+///
+/// [RFC 6066]: https://datatracker.ietf.org/doc/html/rfc6066
 const EXTENSION_TYPE_SNI: u16 = 0;
 
 /// SNI `NameType` for DNS hostnames.
@@ -111,11 +113,15 @@ pub enum SniParseError {
     #[error("malformed TLS extension")]
     MalformedExtension,
 
-    /// The SNI hostname is empty (RFC 6066 requires a valid DNS name).
+    /// The SNI hostname is empty ([RFC 6066] requires a valid DNS name).
+    ///
+    /// [RFC 6066]: https://datatracker.ietf.org/doc/html/rfc6066
     #[error("SNI hostname must not be empty (RFC 6066)")]
     EmptyHostname,
 
-    /// The SNI hostname is an IP literal (rejected per RFC 6066 section 3).
+    /// The SNI hostname is an IP literal (rejected per [RFC 6066 Section 3]).
+    ///
+    /// [RFC 6066 Section 3]: https://datatracker.ietf.org/doc/html/rfc6066#section-3
     #[error("SNI must not be an IP address (RFC 6066)")]
     InvalidHostname,
 }
@@ -338,7 +344,9 @@ fn read_u24(data: &[u8], offset: usize) -> Result<u32, SniParseError> {
 // Validation
 // ---------------------------------------------------------------------------------
 
-/// Reject IP address literals per RFC 6066 section 3.
+/// Reject IP address literals per [RFC 6066 Section 3].
+///
+/// [RFC 6066 Section 3]: https://datatracker.ietf.org/doc/html/rfc6066#section-3
 fn reject_ip_literal(hostname: &str) -> Result<(), SniParseError> {
     if hostname.parse::<std::net::IpAddr>().is_ok() {
         return Err(SniParseError::InvalidHostname);
