From d678d337561251cedd7cd9d7793e5e6b70f9fa3e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 20 Jul 2021 11:03:09 +0200 Subject: [PATCH] root: add support for PROXY protocol on listeners closes #1161 Signed-off-by: Jens Langhammer --- go.mod | 1 + go.sum | 2 ++ internal/outpost/ldap/api.go | 20 +++++++++++++++++++- internal/outpost/proxy/server_https.go | 12 ++++++++++-- internal/web/web.go | 6 +++++- internal/web/web_ssl.go | 6 +++++- 6 files changed, 42 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 513ad31f8..592154340 100644 --- a/go.mod +++ b/go.mod @@ -29,6 +29,7 @@ require ( github.com/nmcclain/ldap v0.0.0-20191021200707-3b3b69a7e9e3 github.com/oauth2-proxy/oauth2-proxy v0.0.0-20200831161845-e4e5580852dc github.com/pelletier/go-toml v1.9.1 // indirect + github.com/pires/go-proxyproto v0.6.0 // indirect github.com/pkg/errors v0.9.1 github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect github.com/recws-org/recws v1.3.1 diff --git a/go.sum b/go.sum index 618434c9a..57e0f1955 100644 --- a/go.sum +++ b/go.sum @@ -528,6 +528,8 @@ github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUM github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= +github.com/pires/go-proxyproto v0.6.0 h1:cLJUPnuQdiNf7P/wbeOKmM1khVdaMgTFDLj8h9ZrVYk= +github.com/pires/go-proxyproto v0.6.0/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/internal/outpost/ldap/api.go b/internal/outpost/ldap/api.go index c49455c99..f876fa76c 100644 --- a/internal/outpost/ldap/api.go +++ b/internal/outpost/ldap/api.go @@ -5,11 +5,13 @@ import ( "crypto/tls" "errors" "fmt" + "net" "net/http" "strings" "sync" "github.com/go-openapi/strfmt" + "github.com/pires/go-proxyproto" log "github.com/sirupsen/logrus" "goauthentik.io/internal/outpost/ak" ) @@ -70,7 +72,20 @@ func (ls *LDAPServer) StartHTTPServer() error { func (ls *LDAPServer) StartLDAPServer() error { listen := "0.0.0.0:3389" + + ln, err := net.Listen("tcp", listen) + if err != nil { + ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err) + } + proxyListener := &proxyproto.Listener{Listener: ln} + defer proxyListener.Close() + ls.log.WithField("listen", listen).Info("Starting ldap server") + err = ls.s.Serve(proxyListener) + if err != nil { + return err + } + ls.log.Printf("closing %s", ln.Addr()) return ls.s.ListenAndServe(listen) } @@ -86,8 +101,11 @@ func (ls *LDAPServer) StartLDAPTLSServer() error { if err != nil { ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err) } + proxyListener := &proxyproto.Listener{Listener: ln} + defer proxyListener.Close() + ls.log.WithField("listen", listen).Info("Starting ldap tls server") - err = ls.s.Serve(ln) + err = ls.s.Serve(proxyListener) if err != nil { return err } diff --git a/internal/outpost/proxy/server_https.go b/internal/outpost/proxy/server_https.go index 8c47a3b6a..304baa0f2 100644 --- a/internal/outpost/proxy/server_https.go +++ b/internal/outpost/proxy/server_https.go @@ -4,6 +4,8 @@ import ( "crypto/tls" "net" "sync" + + "github.com/pires/go-proxyproto" ) // ServeHTTP constructs a net.Listener and starts handling HTTP requests @@ -13,8 +15,11 @@ func (s *Server) ServeHTTP() { if err != nil { s.logger.Fatalf("FATAL: listen (%s) failed - %s", listenAddress, err) } + proxyListener := &proxyproto.Listener{Listener: listener} + defer proxyListener.Close() + s.logger.Printf("listening on %s", listener.Addr()) - s.serve(listener) + s.serve(proxyListener) s.logger.Printf("closing %s", listener.Addr()) } @@ -46,7 +51,10 @@ func (s *Server) ServeHTTPS() { } s.logger.Printf("listening on %s", ln.Addr()) - tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config) + proxyListener := &proxyproto.Listener{Listener: tcpKeepAliveListener{ln.(*net.TCPListener)}} + defer proxyListener.Close() + + tlsListener := tls.NewListener(proxyListener, config) s.serve(tlsListener) s.logger.Printf("closing %s", tlsListener.Addr()) } diff --git a/internal/web/web.go b/internal/web/web.go index cdc36042b..f145b1f0c 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -8,6 +8,7 @@ import ( "github.com/gorilla/handlers" "github.com/gorilla/mux" + "github.com/pires/go-proxyproto" log "github.com/sirupsen/logrus" "goauthentik.io/internal/config" ) @@ -63,7 +64,10 @@ func (ws *WebServer) listenPlain() { } ws.log.WithField("addr", config.G.Web.Listen).Info("Running") - ws.serve(ln) + proxyListener := &proxyproto.Listener{Listener: ln} + defer proxyListener.Close() + + ws.serve(proxyListener) ws.log.WithField("addr", config.G.Web.Listen).Info("Running") err = http.ListenAndServe(config.G.Web.Listen, ws.m) diff --git a/internal/web/web_ssl.go b/internal/web/web_ssl.go index 8c90c4019..ff6d0b455 100644 --- a/internal/web/web_ssl.go +++ b/internal/web/web_ssl.go @@ -4,6 +4,7 @@ import ( "crypto/tls" "net" + "github.com/pires/go-proxyproto" "goauthentik.io/internal/config" "goauthentik.io/internal/crypto" ) @@ -27,7 +28,10 @@ func (ws *WebServer) listenTLS() { } ws.log.WithField("addr", config.G.Web.ListenTLS).Info("Running") - tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig) + proxyListener := &proxyproto.Listener{Listener: tcpKeepAliveListener{ln.(*net.TCPListener)}} + defer proxyListener.Close() + + tlsListener := tls.NewListener(proxyListener, tlsConfig) ws.serve(tlsListener) ws.log.Printf("closing %s", tlsListener.Addr()) }