[PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Maxim Dounin mdounin at mdounin.ru
Mon Jan 22 11:59:21 UTC 2024


Hello!

On Mon, Jan 22, 2024 at 02:49:54PM +0400, Roman Arutyunyan wrote:

> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1705916128 -14400
> #      Mon Jan 22 13:35:28 2024 +0400
> # Node ID 2f12c929527b2337c15ef99d3a4dc97819b61fbd
> # Parent  ee40e2b1d0833b46128a357fbc84c6e23be9be07
> Avoiding mixed socket families in PROXY protocol v1 (ticket #2594).
> 
> When using realip module, remote and local addreses of a connection can belong
> to different address families.  This previously resulted in generating PROXY
> protocol headers like this:
> 
>   PROXY TCP4 127.0.0.1 unix:/tmp/nginx1.sock 55544 0
> 
> The PROXY protocol v1 specification does not allow mixed families.  The change
> will generate the unknown PROXY protocol header in this case:
> 
>   PROXY UNKNOWN
> 
> Also, the above mentioned format for unix socket address is not specified in
> PROXY protocol v1 and is a by-product of internal nginx representation of it.
> The change eliminates such addresses from  PROXY protocol headers as well.

Nitpicking: double space in "from  PROXY".

This change will essentially disable use of PROXY protocol in such 
configurations.  While it is probably good enough from formal 
point of view, and better that what we have now, this might still 
be a surprise, especially when multiple address families are used 
on the original proxy server, and the configuration works for some 
of them, but not for others.

Wouldn't it be better to remember if the PROXY protocol was used 
to set the address, and use $proxy_protocol_server_addr / 
$proxy_protocol_server_port in this case?

Alternatively, we can use some dummy server address instead, so 
the client address will be still sent.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list