sqlproxyccl: add proxy protocol listener

pkg/ccl/cliccl/flags.go

@@ -69,6 +69,7 @@ func init() {
 		cliflagcfg.StringFlag(f, &proxyContext.Denylist, cliflags.DenyList)
 		cliflagcfg.StringFlag(f, &proxyContext.Allowlist, cliflags.AllowList)
 		cliflagcfg.StringFlag(f, &proxyContext.ListenAddr, cliflags.ProxyListenAddr)
+		cliflagcfg.StringFlag(f, &proxyContext.ProxyProtocolListenAddr, cliflags.ProxyProtocolListenAddr)
 		cliflagcfg.StringFlag(f, &proxyContext.ListenCert, cliflags.ListenCert)
 		cliflagcfg.StringFlag(f, &proxyContext.ListenKey, cliflags.ListenKey)
 		cliflagcfg.StringFlag(f, &proxyContext.MetricsAddress, cliflags.ListenMetrics)

pkg/ccl/cliccl/mt_proxy.go

@@ -56,9 +56,20 @@ func runStartSQLProxy(cmd *cobra.Command, args []string) (returnErr error) {
 
 	log.Infof(ctx, "New proxy with opts: %+v", proxyContext)
 
-	proxyLn, err := net.Listen("tcp", proxyContext.ListenAddr)
-	if err != nil {
-		return err
+	var proxyLn net.Listener
+	if proxyContext.ListenAddr != "" {
+		proxyLn, err = net.Listen("tcp", proxyContext.ListenAddr)
+		if err != nil {
+			return err
+		}
+	}
+
+	var proxyProtocolLn net.Listener
+	if proxyContext.ProxyProtocolListenAddr != "" {
+		proxyProtocolLn, err = net.Listen("tcp", proxyContext.ProxyProtocolListenAddr)
+		if err != nil {
+			return err
+		}
 	}
 
 	metricsLn, err := net.Listen("tcp", proxyContext.MetricsAddress)
@@ -84,15 +95,14 @@ func runStartSQLProxy(cmd *cobra.Command, args []string) (returnErr error) {
 	}
 
 	if err := stopper.RunAsyncTask(ctx, "serve-proxy", func(ctx context.Context) {
-		log.Infof(ctx, "proxy server listening at %s", proxyLn.Addr())
-		if err := server.Serve(ctx, proxyLn); err != nil {
+		if err := server.ServeSQL(ctx, proxyLn, proxyProtocolLn); err != nil {
 			errChan <- err
 		}
 	}); err != nil {
 		return err
 	}
 
-	return waitForSignals(ctx, server, stopper, proxyLn, errChan)
+	return waitForSignals(ctx, server, stopper, proxyLn, proxyProtocolLn, errChan)
 }
 
 func initLogging(cmd *cobra.Command) (ctx context.Context, stopper *stop.Stopper, err error) {
@@ -110,6 +120,7 @@ func waitForSignals(
 	server *sqlproxyccl.Server,
 	stopper *stop.Stopper,
 	proxyLn net.Listener,
+	proxyProtocolLn net.Listener,
 	errChan chan error,
 ) (returnErr error) {
 	// Need to alias the signals if this has to run on non-unix OSes too.
@@ -139,7 +150,12 @@ func waitForSignals(
 			//    waiting for "shutdownConnectionTimeout" to elapse after which
 			//    open TCP connections will be forcefully closed so the server can stop
 			log.Infof(ctx, "stopping tcp listener")
-			_ = proxyLn.Close()
+			if proxyLn != nil {
+				_ = proxyLn.Close()
+			}
+			if proxyProtocolLn != nil {
+				_ = proxyProtocolLn.Close()
+			}
 			select {
 			case <-server.AwaitNoConnections(ctx):
 			case <-time.After(shutdownConnectionTimeout):

pkg/ccl/sqlproxyccl/proxy_handler.go

@@ -73,6 +73,10 @@ type ProxyOptions struct {
 	Denylist string
 	// ListenAddr is the listen address for incoming connections.
 	ListenAddr string
+	// ProxyProtocolListenAddr is the optional listen address for incoming
+	// connections for which it will be enforced that the connections have proxy
+	// headers set.
+	ProxyProtocolListenAddr string
 	// ListenCert is the file containing PEM-encoded x509 certificate for listen
 	// address. Set to "*" to auto-generate self-signed cert.
 	ListenCert string
@@ -113,8 +117,10 @@ type ProxyOptions struct {
 	DisableConnectionRebalancing bool
 	// RequireProxyProtocol changes the server's behavior to support the PROXY
 	// protocol (SQL=required, HTTP=best-effort). With this set to true, the
-	// PROXY info from upstream will be trusted on both HTTP and SQL, if the
-	// headers are allowed.
+	// PROXY info from upstream will be trusted on both HTTP and SQL (on the
+	// ListenAddr port), if the headers are allowed. The ProxyProtocolListenAddr
+	// port, if specified, will require the proxy protocol regardless of
+	// RequireProxyProtocol.
 	RequireProxyProtocol bool
 
 	// testingKnobs are knobs used for testing.