MINOR: connection: add proxy-v2-options authority

This patch add option PP2_TYPE_AUTHORITY to proxy protocol v2 when a TLS connection was negotiated. In this case, authority corresponds to the sni.
2025-11-28 06:11:32 +01:00 · 2018-02-01 18:29:59 +01:00 · 2018-02-01 18:29:59 +01:00 · 253c3b7516
commit 253c3b7516
parent fa8d0f1875
6 changed files with 28 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -11724,7 +11724,9 @@ proxy-v2-options <option>[,<option>]*
  2 when "send-proxy-v2" is used. Options available are "ssl" (see also
  send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
  name of the used cipher, "cert-sig": signature algorithm of the used
-  certificate, "cert-key": key algorithm of the used certificate).
+  certificate, "cert-key": key algorithm of the used certificate), "authority":
+  host name value passed by the client (only sni from a tls connection is
+  supported).

 send-proxy-v2-ssl
  The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@ -50,6 +50,7 @@ void ssl_sock_free_srv_ctx(struct server *srv);
 void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
 int ssl_sock_load_ca(struct bind_conf *bind_conf);
 void ssl_sock_free_ca(struct bind_conf *bind_conf);
+const char *ssl_sock_get_sni(struct connection *conn);
 const char *ssl_sock_get_cert_sig(struct connection *conn);
 const char *ssl_sock_get_cipher_name(struct connection *conn);
 const char *ssl_sock_get_proto_version(struct connection *conn);
--- a/include/types/server.h
+++ b/include/types/server.h
@ -151,6 +151,7 @@ enum srv_initaddr {
 #define SRV_PP_V2_SSL_KEY_ALG   0x0010   /* proxy protocol version 2 with cert key algorithm */
 #define SRV_PP_V2_SSL_SIG_ALG   0x0020   /* proxy protocol version 2 with cert signature algorithm */
 #define SRV_PP_V2_SSL_CIPHER    0x0040   /* proxy protocol version 2 with cipher used */
+#define SRV_PP_V2_AUTHORITY     0x0080   /* proxy protocol version 2 with authority */

 /* function which act on servers need to return various errors */
 #define SRV_STATUS_OK       0   /* everything is OK. */
--- a/src/connection.c
+++ b/src/connection.c
@ -1044,6 +1044,15 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
 	}

 #ifdef USE_OPENSSL
+	if (srv->pp_opts & SRV_PP_V2_AUTHORITY) {
+		value = ssl_sock_get_sni(remote);
+		if (value) {
+			if ((buf_len - ret) < sizeof(struct tlv))
+				return 0;
+			ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_AUTHORITY, strlen(value), value);
+		}
+	}
+
 	if (srv->pp_opts & SRV_PP_V2_SSL) {
 		struct tlv_ssl *tlv;
 		int ssl_tlv_len = 0;
--- a/src/server.c
+++ b/src/server.c
@ -526,6 +526,8 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg,
 		} else if (!strcmp(p, "ssl-cipher")) {
 			newsrv->pp_opts |= SRV_PP_V2_SSL;
 			newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
+		} else if (!strcmp(p, "authority")) {
+			newsrv->pp_opts |= SRV_PP_V2_AUTHORITY;
 		} else
 			goto fail;
 	}
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -5783,6 +5783,18 @@ const char *ssl_sock_get_cert_sig(struct connection *conn)
 	return OBJ_nid2sn(OBJ_obj2nid(algorithm));
 }

+/* used for ppv2 authority */
+const char *ssl_sock_get_sni(struct connection *conn)
+{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+	if (!ssl_sock_is_ssl(conn))
+		return NULL;
+	return SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
+#else
+	return 0;
+#endif
+}
+
 /* used for logging/ppv2, may be changed for a sample fetch later */
 const char *ssl_sock_get_cipher_name(struct connection *conn)
 {