[MEDIUM] server: add support for the "send-proxy" option

This option enables use of the PROXY protocol with the server, which allows haproxy to transport original client's address across multiple architecture layers.
2026-02-26 11:41:50 +01:00 · 2011-03-20 10:32:26 +01:00 · 2011-03-20 10:32:26 +01:00 · 5ab04ec47c
commit 5ab04ec47c
parent b22e55bc8f
4 changed files with 48 additions and 20 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6647,6 +6647,21 @@ rise <count>

  Supported in default-server: Yes

+send-proxy
+  The "send-proxy" parameter enforces use of the PROXY protocol over any
+  connection established to this server. The PROXY protocol informs the other
+  end about the layer 3/4 addresses of the incoming connection, so that it can
+  know the client's address or the public address it accessed to, whatever the
+  upper layer protocol. For connections accepted by an "accept-proxy" listener,
+  the advertised address will be used. Only TCPv4 and TCPv6 address families
+  are supported. Other families such as Unix sockets, will report an UNKNOWN
+  family. Servers using this option can fully be chained to another instance of
+  haproxy listening with an "accept-proxy" setting. This setting must not be
+  used if the server isn't aware of the protocol. See also the "accept-proxy"
+  option of the "bind" keyword.
+
+  Supported in default-server: No
+
 slowstart <start_time_in_ms>
  The "slowstart" parameter for a server accepts a value in milliseconds which
  indicates after how long a server which has just come back up will run at
--- a/include/types/server.h
+++ b/include/types/server.h
@ -1,23 +1,23 @@
 /*
-  include/types/server.h
-  This file defines everything related to servers.
-
-  Copyright (C) 2000-2009 Willy Tarreau - w@1wt.eu
-  
-  This library is free software; you can redistribute it and/or
-  modify it under the terms of the GNU Lesser General Public
-  License as published by the Free Software Foundation, version 2.1
-  exclusively.
-
-  This library is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public
-  License along with this library; if not, write to the Free Software
-  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/
+ * include/types/server.h
+ * This file defines everything related to servers.
+ *
+ * Copyright (C) 2000-2011 Willy Tarreau - w@1wt.eu
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */

 #ifndef _TYPES_SERVER_H
 #define _TYPES_SERVER_H
@ -53,6 +53,7 @@
 #define SRV_TPROXY_CLI	0x0300	/* bind to the client's IP+port to reach this server */
 #define SRV_TPROXY_DYN	0x0400	/* bind to a dynamically computed non-local address */
 #define SRV_TPROXY_MASK	0x0700	/* bind to a non-local address to reach this server */
+#define SRV_SEND_PROXY	0x0800	/* this server talks the PROXY protocol */

 /* function which act on servers need to return various errors */
 #define SRV_STATUS_OK       0   /* everything is OK. */
--- a/src/backend.c
+++ b/src/backend.c
@ -971,6 +971,14 @@ int connect_server(struct session *s)
 	s->req->cons->connect = tcp_connect_server;
 	copy_target(&s->req->cons->target, &s->target);

+	/* process the case where the server requires the PROXY protocol to be sent */
+	s->req->cons->send_proxy_ofs = 0;
+	if (s->target.type == TARG_TYPE_SERVER && (s->target.ptr.s->state & SRV_SEND_PROXY)) {
+		s->req->cons->send_proxy_ofs = 1; /* must compute size */
+		if (!(s->flags & SN_FRT_ADDR_SET))
+			get_frt_addr(s);
+	}
+
 	assign_tproxy_address(s);

 	err = s->req->cons->connect(s->req->cons);
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -4167,6 +4167,10 @@ stats_error_parsing:
 				newsrv->state |= SRV_BACKUP;
 				cur_arg ++;
 			}
+			else if (!defsrv && !strcmp(args[cur_arg], "send-proxy")) {
+				newsrv->state |= SRV_SEND_PROXY;
+				cur_arg ++;
+			}
 			else if (!strcmp(args[cur_arg], "weight")) {
 				int w;
 				w = atol(args[cur_arg + 1]);
@ -4454,7 +4458,7 @@ stats_error_parsing:
 			}
 			else {
 				if (!defsrv)
-					Alert("parsing [%s:%d] : server %s only supports options 'backup', 'cookie', 'redir', 'observer', 'on-error', 'error-limit', 'check', 'disabled', 'track', 'id', 'inter', 'fastinter', 'downinter', 'rise', 'fall', 'addr', 'port', 'source', 'minconn', 'maxconn', 'maxqueue', 'slowstart' and 'weight'.\n",
+					Alert("parsing [%s:%d] : server %s only supports options 'backup', 'cookie', 'redir', 'observer', 'on-error', 'error-limit', 'check', 'disabled', 'track', 'id', 'inter', 'fastinter', 'downinter', 'rise', 'fall', 'addr', 'port', 'source', 'send-proxy', 'minconn', 'maxconn', 'maxqueue', 'slowstart' and 'weight'.\n",
 					      file, linenum, newsrv->id);
 				else
 					Alert("parsing [%s:%d]: default-server only supports options 'on-error', 'error-limit', 'inter', 'fastinter', 'downinter', 'rise', 'fall', 'port', 'minconn', 'maxconn', 'maxqueue', 'slowstart' and 'weight'.\n",