proxy protocol: fix require policy in some edge cases

Signed-off-by: Nicola Murino <[email protected]>
drakkan · May 20, 2023 · 3f94f6d · 3f94f6d
1 parent d28a53a
commit 3f94f6d
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -36,7 +36,7 @@ require (
 	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/go-plugin v1.4.10-0.20230403150917-e889c1ba1044
 	github.com/hashicorp/go-retryablehttp v0.7.2
-	github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f
+	github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533
 	github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126
 	github.com/klauspost/compress v1.16.5
 	github.com/lestrrat-go/jwx/v2 v2.0.9

diff --git a/go.sum b/go.sum
@@ -1394,8 +1394,8 @@ github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
 github.com/jackc/pgx/v4 v4.17.2/go.mod h1:lcxIZN44yMIrWI78a5CpucdD14hX0SBDbNRvjDBItsw=
-github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f h1:fs2GT/BQiXFnpvTQZK2tHLyw6ZoQQh0/5w8x/Lri7Jk=
-github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f/go.mod h1:sU+RaYl9qnhD3Ce+mwnFii6YEPx70mCYghBzKvqq4qo=
+github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533 h1:xro2Upd4gLZnXU07yOPkL3AYEOt3gnXtU10LY+N2+nc=
+github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533/go.mod h1:sU+RaYl9qnhD3Ce+mwnFii6YEPx70mCYghBzKvqq4qo=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=

diff --git a/internal/common/common.go b/internal/common/common.go
@@ -802,6 +802,9 @@ func getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy)
 
 		for _, allowFrom := range allowed {
 			if allowFrom(upstreamIP) {
+				if def == proxyproto.REQUIRE {
+					return proxyproto.REQUIRE, nil
+				}
 				return proxyproto.USE, nil
 			}
 		}

diff --git a/internal/common/common_test.go b/internal/common/common_test.go
@@ -1012,6 +1012,19 @@ func TestProxyPolicy(t *testing.T) {
 	policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.4")})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.IGNORE, policy)
+	p = getProxyPolicy(allowed, skipped, proxyproto.REQUIRE)
+	policy, err = p(&net.TCPAddr{IP: ip1})
+	assert.NoError(t, err)
+	assert.Equal(t, proxyproto.REQUIRE, policy)
+	policy, err = p(&net.TCPAddr{IP: ip2})
+	assert.NoError(t, err)
+	assert.Equal(t, proxyproto.SKIP, policy)
+	policy, err = p(&net.TCPAddr{IP: ip3})
+	assert.NoError(t, err)
+	assert.Equal(t, proxyproto.SKIP, policy)
+	policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.5")})
+	assert.NoError(t, err)
+	assert.Equal(t, proxyproto.REQUIRE, policy)
 }
 
 func TestProxyProtocolVersion(t *testing.T) {