mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 18:47:01 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
84 lines
2.1 KiB
Go
84 lines
2.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package proxyutil
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
|
sockaddr "github.com/hashicorp/go-sockaddr"
|
|
proxyproto "github.com/pires/go-proxyproto"
|
|
)
|
|
|
|
// ProxyProtoConfig contains configuration for the PROXY protocol
|
|
type ProxyProtoConfig struct {
|
|
sync.RWMutex
|
|
Behavior string
|
|
AuthorizedAddrs []*sockaddr.SockAddrMarshaler `json:"authorized_addrs"`
|
|
}
|
|
|
|
func (p *ProxyProtoConfig) SetAuthorizedAddrs(addrs interface{}) error {
|
|
aa, err := parseutil.ParseAddrs(addrs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
p.AuthorizedAddrs = aa
|
|
return nil
|
|
}
|
|
|
|
// WrapInProxyProto wraps the given listener in the PROXY protocol. If behavior
|
|
// is "use_if_authorized" or "deny_if_unauthorized" it also configures a
|
|
// SourceCheck based on the given ProxyProtoConfig. In an error case it returns
|
|
// the original listener and the error.
|
|
func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.Listener, error) {
|
|
config.Lock()
|
|
defer config.Unlock()
|
|
|
|
var newLn *proxyproto.Listener
|
|
|
|
switch config.Behavior {
|
|
case "use_always":
|
|
newLn = &proxyproto.Listener{
|
|
Listener: listener,
|
|
ReadHeaderTimeout: 10 * time.Second,
|
|
}
|
|
|
|
case "allow_authorized", "deny_unauthorized":
|
|
newLn = &proxyproto.Listener{
|
|
Listener: listener,
|
|
ReadHeaderTimeout: 10 * time.Second,
|
|
Policy: func(addr net.Addr) (proxyproto.Policy, error) {
|
|
config.RLock()
|
|
defer config.RUnlock()
|
|
|
|
sa, err := sockaddr.NewSockAddr(addr.String())
|
|
if err != nil {
|
|
return proxyproto.REJECT, fmt.Errorf("error parsing remote address: %w", err)
|
|
}
|
|
|
|
for _, authorizedAddr := range config.AuthorizedAddrs {
|
|
if authorizedAddr.Contains(sa) {
|
|
return proxyproto.USE, nil
|
|
}
|
|
}
|
|
|
|
if config.Behavior == "allow_authorized" {
|
|
return proxyproto.IGNORE, nil
|
|
}
|
|
|
|
return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`)
|
|
},
|
|
}
|
|
default:
|
|
return listener, fmt.Errorf("unknown behavior type for proxy proto config")
|
|
}
|
|
|
|
return newLn, nil
|
|
}
|