Skip to content

Commit

Permalink
Moved PROXY protocol wrap to execute before the TLS wrap (#3195)
Browse files Browse the repository at this point in the history
  • Loading branch information
solmonk authored and jefferai committed Aug 23, 2017
1 parent e80808b commit f855da7
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 38 deletions.
38 changes: 0 additions & 38 deletions command/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ import (
"github.com/hashicorp/vault/helper/logformat"
"github.com/hashicorp/vault/helper/mlock"
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/proxyutil"
"github.com/hashicorp/vault/helper/reload"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/logical"
Expand Down Expand Up @@ -459,43 +458,6 @@ CLUSTER_SYNTHESIS_COMPLETE:
return 1
}

if val, ok := lnConfig.Config["proxy_protocol_behavior"]; ok {
behavior, ok := val.(string)
if !ok {
c.Ui.Output(fmt.Sprintf(
"Error parsing proxy_protocol_behavior value for listener of type %s: not a string",
lnConfig.Type))
return 1
}

authorizedAddrsRaw, ok := lnConfig.Config["proxy_protocol_authorized_addrs"]
if !ok {
c.Ui.Output(fmt.Sprintf(
"proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value for listener of type %s",
lnConfig.Type))
return 1
}

proxyProtoConfig := &proxyutil.ProxyProtoConfig{
Behavior: behavior,
}
if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
c.Ui.Output(fmt.Sprintf(
"Error parsing proxy_protocol_authorized_addrs for listener of type %s: %v",
lnConfig.Type, err))
return 1
}

newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
if err != nil {
c.Ui.Output(fmt.Sprintf(
"Error configuring PROXY protocol wrapper: %s", err))
return 1
}

ln = newLn
}

lns = append(lns, ln)

if reloadFunc != nil {
Expand Down
32 changes: 32 additions & 0 deletions command/server/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"net"

"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/proxyutil"
"github.com/hashicorp/vault/helper/reload"
"github.com/hashicorp/vault/helper/tlsutil"
)
Expand All @@ -35,6 +36,37 @@ func NewListener(t string, config map[string]interface{}, logger io.Writer) (net
return f(config, logger)
}

func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.Listener, error) {
behaviorRaw, ok := config["proxy_protocol_behavior"]
if !ok {
return ln, nil
}

behavior, ok := behaviorRaw.(string)
if !ok {
return nil, fmt.Errorf("failed parsing proxy_protocol_behavior value: not a string")
}

authorizedAddrsRaw, ok := config["proxy_protocol_authorized_addrs"]
if !ok {
return nil, fmt.Errorf("proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value")
}

proxyProtoConfig := &proxyutil.ProxyProtoConfig{
Behavior: behavior,
}
if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err)
}

newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
if err != nil {
return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err)
}

return newLn, nil
}

func listenerWrapTLS(
ln net.Listener,
props map[string]string,
Expand Down
6 changes: 6 additions & 0 deletions command/server/listener_tcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ func tcpListenerFactory(config map[string]interface{}, _ io.Writer) (net.Listene
}

ln = tcpKeepAliveListener{ln.(*net.TCPListener)}

ln, err = listenerWrapProxy(ln, config)
if err != nil {
return nil, nil, nil, err
}

props := map[string]string{"addr": addr}
return listenerWrapTLS(ln, props, config)
}
Expand Down

0 comments on commit f855da7

Please sign in to comment.