From 3f94f6d0e7743b9278cfaebd2896fb6c7fbb3c63 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 20 May 2023 16:08:57 +0200 Subject: [PATCH] proxy protocol: fix require policy in some edge cases Signed-off-by: Nicola Murino --- go.mod | 2 +- go.sum | 4 ++-- internal/common/common.go | 3 +++ internal/common/common_test.go | 13 +++++++++++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 819d16c2a..a8c63bbc2 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/hashicorp/go-hclog v1.5.0 github.com/hashicorp/go-plugin v1.4.10-0.20230403150917-e889c1ba1044 github.com/hashicorp/go-retryablehttp v0.7.2 - github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f + github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533 github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126 github.com/klauspost/compress v1.16.5 github.com/lestrrat-go/jwx/v2 v2.0.9 diff --git a/go.sum b/go.sum index f1d303d44..8bea77513 100644 --- a/go.sum +++ b/go.sum @@ -1394,8 +1394,8 @@ github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc= github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs= github.com/jackc/pgx/v4 v4.17.2/go.mod h1:lcxIZN44yMIrWI78a5CpucdD14hX0SBDbNRvjDBItsw= -github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f h1:fs2GT/BQiXFnpvTQZK2tHLyw6ZoQQh0/5w8x/Lri7Jk= -github.com/jackc/pgx/v5 v5.3.2-0.20230428020358-f59e8bf5551f/go.mod h1:sU+RaYl9qnhD3Ce+mwnFii6YEPx70mCYghBzKvqq4qo= +github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533 h1:xro2Upd4gLZnXU07yOPkL3AYEOt3gnXtU10LY+N2+nc= +github.com/jackc/pgx/v5 v5.3.2-0.20230520130935-9de41fac7533/go.mod h1:sU+RaYl9qnhD3Ce+mwnFii6YEPx70mCYghBzKvqq4qo= github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= diff --git a/internal/common/common.go b/internal/common/common.go index b9c9794a7..22f85a333 100644 --- a/internal/common/common.go +++ b/internal/common/common.go @@ -802,6 +802,9 @@ func getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy) for _, allowFrom := range allowed { if allowFrom(upstreamIP) { + if def == proxyproto.REQUIRE { + return proxyproto.REQUIRE, nil + } return proxyproto.USE, nil } } diff --git a/internal/common/common_test.go b/internal/common/common_test.go index cbb311d8d..8a4ce4ca9 100644 --- a/internal/common/common_test.go +++ b/internal/common/common_test.go @@ -1012,6 +1012,19 @@ func TestProxyPolicy(t *testing.T) { policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.4")}) assert.NoError(t, err) assert.Equal(t, proxyproto.IGNORE, policy) + p = getProxyPolicy(allowed, skipped, proxyproto.REQUIRE) + policy, err = p(&net.TCPAddr{IP: ip1}) + assert.NoError(t, err) + assert.Equal(t, proxyproto.REQUIRE, policy) + policy, err = p(&net.TCPAddr{IP: ip2}) + assert.NoError(t, err) + assert.Equal(t, proxyproto.SKIP, policy) + policy, err = p(&net.TCPAddr{IP: ip3}) + assert.NoError(t, err) + assert.Equal(t, proxyproto.SKIP, policy) + policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.5")}) + assert.NoError(t, err) + assert.Equal(t, proxyproto.REQUIRE, policy) } func TestProxyProtocolVersion(t *testing.T) {