Auto-detect proxy protocol version instead of configuration #1593
Conversation
Remove the tcp_proxy_protocol and unix_proxy_protocol config options. Instead, automatically detect proxy protocol by peeking at the first bytes of incoming connections: - V1: starts with "PROXY " text - V2: starts with 12-byte binary signature This simplifies configuration and allows mixed V1/V2 connections without requiring users to know which version their load balancer uses. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Test is not valid anymore since we are now allowing any connection to use ProxyProtocol if it wants to.
|
Is removing the config options graceful, e.g. nothing happens if you still have them in the config with this? Should we warn about unknown options in the config? So users can be aware and clean up cruft if they want to (you should also be able to silence such warnings) |
Yes, removing options is OK. You get a warning when starting LavinMQ if you have them in your config: |
|
I'm thinking there might be some security concerns with always allowing PROXY protocol? Maybe we should keep the |
|
Yes, like Viktor says, proxy protocol should not be auto detected as per spec: https://github.com/haproxy/haproxy/blob/dbe52cc23e7fa15c6621e4b46896858b55f351fd/doc/proxy-protocol.txt#L865 We dont do IP based authentication much, but we do with the guest loopback thing, and could potentially add something more in the future and then forget about this. |
WHAT is this pull request doing?
Remove the tcp_proxy_protocol and unix_proxy_protocol config options. Instead, automatically detect proxy protocol by peeking at the first bytes of incoming connections:
This simplifies configuration and allows mixed V1/V2 connections without requiring users to know which version their load balancer uses.
HOW can this pull request be tested?
Specs