add support for proxy protocol on HTTP listener (#1777)

* add support for proxy protocol on HTTP listener * rename option, add doc
2025-08-03 16:59:22 +02:00 · 2021-01-19 05:56:58 -07:00 · 2021-01-19 05:56:58 -07:00 · 09747aa3ba
commit 09747aa3ba
parent 10912add67
5 changed files with 75 additions and 12 deletions
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@ -12,6 +12,7 @@ import (
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
 	envoy_extensions_filters_http_lua_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
+	envoy_extensions_filters_listener_proxy_protocol_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3"
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
@ -52,13 +53,25 @@ func (srv *Server) buildListeners(options *config.Options) []*envoy_config_liste
 }

 func (srv *Server) buildMainListener(options *config.Options) *envoy_config_listener_v3.Listener {
+	listenerFilters := []*envoy_config_listener_v3.ListenerFilter{}
+	if options.UseProxyProtocol {
+		proxyCfg := marshalAny(&envoy_extensions_filters_listener_proxy_protocol_v3.ProxyProtocol{})
+		listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
+			Name: "envoy.filters.listener.proxy_protocol",
+			ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
+				TypedConfig: proxyCfg,
+			},
+		})
+	}
+
 	if options.InsecureServer {
 		filter := buildMainHTTPConnectionManagerFilter(options,
 			getAllRouteableDomains(options, options.Addr))

 		return &envoy_config_listener_v3.Listener{
-			Name:    "http-ingress",
-			Address: buildAddress(options.Addr, 80),
+			Name:            "http-ingress",
+			Address:         buildAddress(options.Addr, 80),
+			ListenerFilters: listenerFilters,
 			FilterChains: []*envoy_config_listener_v3.FilterChain{{
 				Filters: []*envoy_config_listener_v3.Filter{
 					filter,
@ -68,15 +81,17 @@ func (srv *Server) buildMainListener(options *config.Options) *envoy_config_list
 	}

 	tlsInspectorCfg := marshalAny(new(emptypb.Empty))
+	listenerFilters = append(listenerFilters, &envoy_config_listener_v3.ListenerFilter{
+		Name: "envoy.filters.listener.tls_inspector",
+		ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
+			TypedConfig: tlsInspectorCfg,
+		},
+	})
+
 	li := &envoy_config_listener_v3.Listener{
-		Name:    "https-ingress",
-		Address: buildAddress(options.Addr, 443),
-		ListenerFilters: []*envoy_config_listener_v3.ListenerFilter{{
-			Name: "envoy.filters.listener.tls_inspector",
-			ConfigType: &envoy_config_listener_v3.ListenerFilter_TypedConfig{
-				TypedConfig: tlsInspectorCfg,
-			},
-		}},
+		Name:            "https-ingress",
+		Address:         buildAddress(options.Addr, 443),
+		ListenerFilters: listenerFilters,
 		FilterChains: buildFilterChains(options, options.Addr,
 			func(tlsDomain string, httpDomains []string) *envoy_config_listener_v3.FilterChain {
 				filter := buildMainHTTPConnectionManagerFilter(options, httpDomains)
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"

 	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/controlplane/filemgr"
 	"github.com/pomerium/pomerium/internal/testutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
@ -500,3 +501,30 @@ func Test_buildRouteConfiguration(t *testing.T) {
 	assert.Equal(t, virtualHosts, routeConfig.GetVirtualHosts())
 	assert.False(t, routeConfig.GetValidateClusters().GetValue())
 }
+
+func Test_requireProxyProtocol(t *testing.T) {
+	srv := &Server{
+		filemgr: filemgr.NewManager(),
+	}
+	t.Run("required", func(t *testing.T) {
+		li := srv.buildMainListener(&config.Options{
+			UseProxyProtocol: true,
+			InsecureServer:   true,
+		})
+		testutil.AssertProtoJSONEqual(t, `[
+			{
+				"name": "envoy.filters.listener.proxy_protocol",
+				"typedConfig": {
+					"@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
+				}
+			}
+		]`, li.GetListenerFilters())
+	})
+	t.Run("not required", func(t *testing.T) {
+		li := srv.buildMainListener(&config.Options{
+			UseProxyProtocol: false,
+			InsecureServer:   true,
+		})
+		assert.Len(t, li.GetListenerFilters(), 0)
+	})
+}