MINOR: connection: add proxy-v2-options authority
This patch add option PP2_TYPE_AUTHORITY to proxy protocol v2 when a TLS
connection was negotiated. In this case, authority corresponds to the sni.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index bb1c4f1..a914c41 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11724,7 +11724,9 @@
2 when "send-proxy-v2" is used. Options available are "ssl" (see also
send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
name of the used cipher, "cert-sig": signature algorithm of the used
- certificate, "cert-key": key algorithm of the used certificate).
+ certificate, "cert-key": key algorithm of the used certificate), "authority":
+ host name value passed by the client (only sni from a tls connection is
+ supported).
send-proxy-v2-ssl
The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index d43ad69..c6075eb 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -50,6 +50,7 @@
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
int ssl_sock_load_ca(struct bind_conf *bind_conf);
void ssl_sock_free_ca(struct bind_conf *bind_conf);
+const char *ssl_sock_get_sni(struct connection *conn);
const char *ssl_sock_get_cert_sig(struct connection *conn);
const char *ssl_sock_get_cipher_name(struct connection *conn);
const char *ssl_sock_get_proto_version(struct connection *conn);
diff --git a/include/types/server.h b/include/types/server.h
index 91f8a9d..6d0566b 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -151,6 +151,7 @@
#define SRV_PP_V2_SSL_KEY_ALG 0x0010 /* proxy protocol version 2 with cert key algorithm */
#define SRV_PP_V2_SSL_SIG_ALG 0x0020 /* proxy protocol version 2 with cert signature algorithm */
#define SRV_PP_V2_SSL_CIPHER 0x0040 /* proxy protocol version 2 with cipher used */
+#define SRV_PP_V2_AUTHORITY 0x0080 /* proxy protocol version 2 with authority */
/* function which act on servers need to return various errors */
#define SRV_STATUS_OK 0 /* everything is OK. */
diff --git a/src/connection.c b/src/connection.c
index e8a02ea..206b22b 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1044,6 +1044,15 @@
}
#ifdef USE_OPENSSL
+ if (srv->pp_opts & SRV_PP_V2_AUTHORITY) {
+ value = ssl_sock_get_sni(remote);
+ if (value) {
+ if ((buf_len - ret) < sizeof(struct tlv))
+ return 0;
+ ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_AUTHORITY, strlen(value), value);
+ }
+ }
+
if (srv->pp_opts & SRV_PP_V2_SSL) {
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
diff --git a/src/server.c b/src/server.c
index 77fc0c6..f4cf45c 100644
--- a/src/server.c
+++ b/src/server.c
@@ -526,6 +526,8 @@
} else if (!strcmp(p, "ssl-cipher")) {
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
+ } else if (!strcmp(p, "authority")) {
+ newsrv->pp_opts |= SRV_PP_V2_AUTHORITY;
} else
goto fail;
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0e39d10..271940a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5783,6 +5783,18 @@
return OBJ_nid2sn(OBJ_obj2nid(algorithm));
}
+/* used for ppv2 authority */
+const char *ssl_sock_get_sni(struct connection *conn)
+{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ if (!ssl_sock_is_ssl(conn))
+ return NULL;
+ return SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
+#else
+ return 0;
+#endif
+}
+
/* used for logging/ppv2, may be changed for a sample fetch later */
const char *ssl_sock_get_cipher_name(struct connection *conn)
{