reg-tests/connection/proxy_protocol_tlv_validation.vtc

varnishtest "Check that the TLVs are properly validated"

#REQUIRE_VERSION=2.4

feature ignore_unknown_macro

# We need one HAProxy for each test, because apparently the connection by
# the client is reused, leading to connection resets.

haproxy h1 -conf {
    defaults
        mode http
        timeout connect 1s
        timeout client  1s
        timeout server  1s

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a correct header passes
client c1 -connect ${h1_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "12345"
    sendhex "02 00 05 31 32 33 34 35"

    txreq -url "/"
    rxresp
    expect resp.http.echo == "3132333435"
} -run

haproxy h2 -conf {
    defaults
        mode http
        timeout connect 1s
        timeout client  1s
        timeout server  1s

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a TLV after the end of the PROXYv2 header is not parsed
# and handle by the HTTP parser, leading to a 400 bad request error
client c2 -connect ${h2_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "12345"
    sendhex "02 00 05 31 32 33 34 35"
    # after the end of the PROXYv2 header: PP2_TYPE_AUTHORITY + length of the value + "54321"
    sendhex "02 00 05 35 34 33 32 31"

    txreq -url "/"
    rxresp
    expect resp.status == 400
    expect resp.http.echo == <undef>
} -run

haproxy h3 -conf {
    defaults
        mode http
        timeout connect 1s
        timeout client  1s
        timeout server  1s

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a TLV length exceeding the PROXYv2 length fails
client c3 -connect ${h3_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + too small length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "1234512345"
    sendhex "02 00 0A 31 32 33 34 35 31 32 33 34 35"

    txreq -url "/"
    expect_close
} -run

haproxy h4 -conf {
    defaults
        mode http
        timeout connect 1s
        timeout client  1s
        timeout server  1s

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that TLVs not ending with the PROXYv2 header fail
client c4 -connect ${h4_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + too big length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "1234"
    sendhex "02 00 04 31 32 33 34"

    txreq -url "/"
    expect_close
} -run