-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VAULT-6803: fix listener issue if using proxy_protocol_behavior
with deny_unauthorized
for untrusted upstream connections
#27589
VAULT-6803: fix listener issue if using proxy_protocol_behavior
with deny_unauthorized
for untrusted upstream connections
#27589
Conversation
…listener-proxy-behavior-bug-allow-deny
…listener-proxy-behavior-bug-allow-deny
CI Results: |
Build Results: |
var server net.Conn | ||
select { | ||
case <-time.After(3 * time.Second): | ||
case server = <-serverCh: | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a timeout to the tests as the forked library now never stops listening until it can return a valid connection.
@@ -72,7 +71,7 @@ func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.List | |||
return proxyproto.IGNORE, nil | |||
} | |||
|
|||
return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`) | |||
return proxyproto.REJECT, proxyproto.ErrInvalidUpstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the change that keeps the listener waiting for a valid connection.
https://github.com/peteski22/go-proxyproto/blob/v1.0.0/protocol.go#L85-L88
|
||
// Support using the forked repository until https://github.com/pires/go-proxyproto/pull/110 merges | ||
// and is released. | ||
replace github.com/pires/go-proxyproto v1.0.0 => github.com/peteski22/go-proxyproto v1.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Info on forked repo tag.
Keep listener listening if upstream connection address is not trusted (but close that connection).
Releases the changes requested on pires's go-proxyproto by pires/go-proxyproto#110.
Bumped to v1.0.0 which doesn't exist as a tag on the maintainer's repo but does on the forked repo. Suspect that if the maintainer accepts the PR and tags it, semver suggests the breaking change to Accept
means v1.0.0
is likely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change here can now be updated and the replace
removed, as the PR was accepted, merged and tagged:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to add a test that fails before this change but passes afterwards? I'm not particularly familiar with this area of the code so it would especially help increase my confidence both now and in the future if we could exercise this code path and bug fix in a test
I had been testing this manually using https://github.com/muhtasimmaleque/Vault-docker-listener-bug and Linux Vault binaries I'd built before/after the change. |
Sorry, I think I could have worded that better: is it possible to add an automated Go test for this bug? That would also increase confidence if/when we move from the fork that it still works, without needing to re-do the manual testing |
This fails before the change, and passes afterwards. Between this and the manual testing steps in the Jira associated with the branch we should be able to prevent a regression and reproduce any issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Thanks for adding a nice test for this too, it'll help if/when we move from the fork.
Awesome job with this one -- complicated area of code!
Description
This PR corrects an issue introduced when supported was added for
PROXY v2
on TCP listeners usingproxy_protocol_behavior
.This issue was introduced in Vault
v1.10.0
and has impacted all subsequent versions other thanv1.16.x
(due to a bug parsing this config setting).Any listener configured to
deny_unauthorized
will still close a connection when the upstream proxy is untrusted, but it will now continue to listen for connections until a valid one is found. It does this by returningErrInvalidUpstream
to the proxy library.NOTE: the issue is only present if this config setting
proxy_protocol_behavior
is enabled and set todeny_unauthorized
.HashiCorp checklist
getting backported to N-2, use the new style
backport/ent/x.x.x+ent
labelsinstead of the old style
backport/x.x.x
labels.the normal
backport/x.x.x
label (there should be only 1).ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signatureof a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
RFC: If this change has an associated RFC, please link it in the description.ENT PR: If this change has an associated ENT PR, please link it in thedescription. Also, make sure the changelog is in this PR, not in your ENT PR.