Skip to content

Add proxy protocol trusted sources verification #1601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
viktorerlingsson wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add proxy protocol trusted sources verification #1601

viktorerlingsson wants to merge 2 commits into from

Conversation

@viktorerlingsson
Copy link
Member

@viktorerlingsson viktorerlingsson commented Jan 9, 2026
edited
Loading

Summary

  • Add proxy_protocol_trusted_sources config option to specify trusted proxy IPs
  • Only parse PROXY protocol headers from connections originating from trusted sources
  • Connections from untrusted sources have their PROXY headers ignored (uses actual socket IP)
  • Logs warning if proxy protocol enabled without trusted sources configured

This follows the HAProxy proxy protocol specification recommendation to verify that proxy protocol traffic comes from trusted sources, preventing IP spoofing attacks.

Configuration

[amqp]
tcp_proxy_protocol = 1
proxy_protocol_trusted_sources = 10.0.0.1, 10.0.0.2

🤖 Generated with Claude Code

@viktorerlingsson @claude
Add proxy protocol trusted sources verification
5e75a76 
Only parse PROXY protocol headers from connections originating from
configured trusted source IPs. Connections from untrusted sources
have their PROXY headers ignored and use the actual socket IP.

This follows the HAProxy proxy protocol specification recommendation
to verify that proxy protocol traffic comes from trusted sources.

Configuration:
  [amqp]
  tcp_proxy_protocol = 1
  proxy_protocol_trusted_sources = 10.0.0.1, 10.0.0.2

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@viktorerlingsson viktorerlingsson marked this pull request as ready for review January 9, 2026 14:43
@viktorerlingsson viktorerlingsson requested a review from a team as a code owner January 9, 2026 14:43
spuun
spuun reviewed Jan 10, 2026
View reviewed changes
@viktorerlingsson @claude
Add CIDR notation support for proxy protocol trusted sources
9548ea7 
Extends proxy_protocol_trusted_sources config to support CIDR notation (e.g., 192.168.0.0/24, 2001:db8::/32) alongside exact IP addresses. Creates IPMatcher struct optimized for the common case of exact IP matching while supporting flexible network range specifications.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spuun spuun spuun left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@viktorerlingsson @spuun