Skip to content

Extract PROXY Protocol v2 TLV SSL info for X-Forwarded-Proto#3945

Closed
ayruslore wants to merge 1 commit into
masterfrom
fix/proxy-protocol-v2-tls
Closed

Extract PROXY Protocol v2 TLV SSL info for X-Forwarded-Proto#3945
ayruslore wants to merge 1 commit into
masterfrom
fix/proxy-protocol-v2-tls

Conversation

@ayruslore

Copy link
Copy Markdown
Member

Summary

When Proxy Protocol v2 is enabled on NLB, extract TLS information from PROXY v2 TLV data to properly set X-Forwarded-Proto header. This enables HTTP-to-HTTPS redirect routes to work correctly.

Changes

  • Parse PROXY v2 TLV data to detect SSL information (type 0x20)
  • Cache SSL state by connection addresses in proxylistener
  • Add ProxyProtoTLSHandler middleware to pass SSL info via request context
  • Update ForwardedHeaders to check PROXY protocol SSL info first

Test plan

  • Enable proxy protocol on NLB with both HTTP and HTTPS ports
  • Test HTTP requests get X-Forwarded-Proto=http
  • Test HTTPS requests get X-Forwarded-Proto=https
  • Verify HTTP-to-HTTPS redirects work correctly

Comment thread net/headers.go Outdated
Comment thread net/proxyproto.go Outdated
Comment thread net/proxyproto.go Outdated

// proxySSLCache is a global, thread-safe cache of SSL information from PROXY protocol v2 TLVs
// keyed by "remoteAddr|localAddr"
var proxySSLCache sync.Map

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add type information of key and value

Comment thread proxylistener/proxylistener.go Outdated
Comment thread proxylistener/proxylistener.go
Comment thread proxylistener/proxylistener.go Outdated
Comment thread proxylistener/proxylistener.go Outdated
Comment thread proxylistener/proxylistener.go Outdated

@szuecs szuecs left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are missing.
For example have a good test and then add failing tests also with the read/write deadlines.

@ayruslore
ayruslore force-pushed the fix/proxy-protocol-v2-tls branch from 33100b5 to 401a924 Compare April 9, 2026 21:03
if pconn, ok := conn.(*proxyproto.Conn); ok {
if header := pconn.ProxyHeader(); header != nil {
tlvs, err := header.TLVs()
if err == nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition makes this error hidden, if there is an error we just skip, is this the required flow?

			if err != nil {
                return conn, err
            }

Comment thread proxylistener/proxylistener.go Outdated
// Store using PROXY protocol's upstream addresses (what the PROXY header specifies)
if header.SourceAddr != nil {
upstreamClientKey := header.SourceAddr.String()
proxySSLCache.Store(upstreamClientKey, ssl)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will be memory leak as we don't clean up, also it's not necessary since we already do the caching with actual connection addresses.

Comment thread proxylistener/proxylistener.go Outdated
Comment thread proxylistener/proxylistener.go Outdated
func GetProxyProtoSSL(remoteAddr, localAddr string) (bool, bool) {
// First try to look up by upstream client IP from X-Forwarded-For or PROXY protocol
// Extract just the host part (without port)
clientHost := extractHost(remoteAddr)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm misunderstanding something in proxy protocol, do we need this? Why not using the fall back directly?

Comment thread net/headers.go Outdated
localAddr := getLocalAddr(r)
ssl, ok := h.Lookup(remoteAddr, localAddr)

ctx := r.Context()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to move this up and make the condition under Lookup function

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

initialization can also be ctx := context.WithValue(r.Context(), contextKeyProxyProtoDirect{}, true)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and remove this later in the function

@ayruslore
ayruslore force-pushed the fix/proxy-protocol-v2-tls branch 6 times, most recently from ffa2850 to c5714f1 Compare April 14, 2026 19:02
When Proxy Protocol v2 is enabled, extract TLS information from TLV data and
use it to set X-Forwarded-Proto header correctly, enabling HTTP-to-HTTPS
redirect routes to work with NLB.

Signed-off-by: speruri <surya.srikar.peruri@zalando.de>
@ayruslore
ayruslore force-pushed the fix/proxy-protocol-v2-tls branch from c5714f1 to 1453c8d Compare April 15, 2026 08:56
@ayruslore

Copy link
Copy Markdown
Member Author

trhis is not needed we can close this pr.

@ayruslore ayruslore closed this Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

minor no risk changes, for example new filters

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants