Fix Request.isSecure() when proxy offloads TLS and then sends PROXY-V2 information to the backend #14194
Conversation
…2 information to the backend Signed-off-by: Ludovic Orban <lorban@bitronix.be>
* Added test to show how to forward V2.Tag information in ProxyHandler.Reverse. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
| } | ||
|
|
||
| proxyEndPoint = new ProxyEndPoint(endPoint, local, remote, tlvs, client == 0 ? null : EndPoint.SslSessionData.from(null, null, sslCipher, null)); | ||
| proxyEndPoint = new ProxyEndPoint(endPoint, local, remote, tlvs, (client & PP2_CLIENT_SSL) == 0 ? null : EndPoint.SslSessionData.from(null, null, sslCipher, null)); |
There was a problem hiding this comment.
I think this should be reverted, because client == 2 or client == 4 also mean that the connection was secured.
| public static final int TYPE_SSL = 0x20; | ||
| public static final int CLIENT_SSL = 0x01; | ||
| public static final int SUBTYPE_SSL_VERSION = 0x21; | ||
| public static final int SUBTYPE_SSL_CIPHER = 0x23; |
There was a problem hiding this comment.
Those constants are already declared in ProxyV2ConnectionFactory although private. If we have to duplicate them, I'd very much prefer that the duplication is in test code.
I'm also not fond of the fact that those constant names don't exactly match the ones defined in the spec (all the same but with the PP2_ prefix).
|
|
||
| List<V2.Tag.TLV> tlvs = List.of(); | ||
| if (secure) | ||
| tlvs = List.of(new V2.Tag.TLV(V2.Tag.TLV.TYPE_SSL, new byte[]{V2.Tag.TLV.CLIENT_SSL})); |
There was a problem hiding this comment.
My version used to test both 1 (PP2_CLIENT_SSL) and 2 (PP2_CLIENT_CERT_CONN) as the PROXY protocol specification chapter 2.2.6 (The PP2_TYPE_SSL type and subtypes) states that the client connected over SSL/TLS only when PP2_CLIENT_SSL (bit 0) is 1.
* Renamed constants adding PP2_ prefix as per the specification. * Improved test case. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
2 participants
Fixes #14134