fast followers for #524

* update documentation around the changes to PROXY protocol * be consistent with accessRules check * fix mistake made in #524 that put the deny check inside the assertion error block
fabiolb · Dec 7, 2018 · 6f371e9 · 6f371e9
1 parent 6a59319
commit 6f371e9
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 8 deletions.
diff --git a/docs/content/feature/proxy-protocol.md b/docs/content/feature/proxy-protocol.md
@@ -8,3 +8,19 @@ fabio transparently supports the HA Proxy
 which is used by HA Proxy,
 [Amazon ELB](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html)
 and others to transmit the remote address and port of the client without using headers.
+
+You may control the behavior of PROXY protocol support with the following
+options on the listener:
+
+* `pxyproto`: When set to 'true' the listener will respect upstream v1
+  PROXY protocol headers.
+  NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10.
+  This changed to off when this option was introduced with
+  the 1.5.11 release.
+  For more information about the PROXY protocol, please see:
+  http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+
+* `pxytimeout`: Sets PROXY protocol header read timeout as a duration (e.g. '250ms').
+  This defaults to 250ms if not set when 'pxyproto' is enabled.
+
+See the comments in for `proxy.addr` in `fabio.properties` for more information.
diff --git a/docs/content/ref/proxy.addr.md b/docs/content/ref/proxy.addr.md
@@ -45,6 +45,17 @@ to the destination without decrypting the traffic.
   if no matching certificate was found. This matches the default
   behavior of the Go TLS server implementation.
 
+* `pxyproto`: When set to 'true' the listener will respect upstream v1
+  PROXY protocol headers.
+  NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10.
+  This changed to off when this option was introduced with
+  the 1.5.11 release.
+  For more information about the PROXY protocol, please see:
+  http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+
+* `pxytimeout`: Sets PROXY protocol header read timeout as a duration (e.g. '250ms').
+  This defaults to 250ms if not set when 'pxyproto' is enabled.
+
 #### TLS options
 
 * `tlsmin`: Sets the minimum TLS version for the handshake. This value

diff --git a/fabio.properties b/fabio.properties
@@ -222,6 +222,17 @@
 #                if no matching certificate was found. This matches the default
 #                behavior of the Go TLS server implementation.
 #
+#   pxyproto:    When set to 'true' the listener will respect upstream v1
+#                PROXY protocol headers.
+#                NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10.
+#                This changed to off when this option was introduced with
+#                the 1.5.11 release.
+#                For more information about the PROXY protocol, please see:
+#                http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+#
+#   pxytimeout:  Sets PROXY protocol header read timeout as a duration (e.g. '250ms').
+#                This defaults to 250ms if not set when 'pxyproto' is enabled.
+#
 # TLS options:
 #
 #   tlsmin:      Sets the minimum TLS version for the handshake. This value
@@ -359,13 +370,15 @@
 #
 # proxy.flushinterval = 1s
 
+
 # proxy.globalflushinterval configures periodic flushing of the
 # response buffer for non-SSE connections. By default it is not enabled.
 #
 # The default is
 #
 # proxy.globalflushinterval = 0
 
+
 # proxy.maxconn configures the maximum number of cached
 # incoming and outgoing connections.
 #
@@ -624,6 +637,7 @@
 #
 # registry.consul.kvpath = /fabio/config
 
+
 # registry.consul.noroutehtmlpath configures the KV path for the HTML of the
 # noroutes page.
 #
@@ -1055,6 +1069,7 @@
 #
 # tracing.CollectorType = http
 
+
 # tracing.ConnectString sets the connection string per connection type.
 # If tracing.CollectorType = http tracing.ConnectString should be
 # http://URL:PORT where URL is the URL of your collector and PORT is the TCP Port
@@ -1068,19 +1083,22 @@
 #
 # tracing.ConnectString = http://localhost:9411/api/v1/spans
 
+
 # tracing.ServiceName sets the service name used in reporting span information
 #
 # The default is
 #
 # tracing.ServiceName = Fabiolb
 
+
 # tracing.Topic sets the Topic String used if tracing.CollectorType is kafka and
 # tracing.ConnectSting is set to a kafka broker
 #
 # The default is
 #
 # tracing.Topic = Fabiolb-Kafka-Topic
 
+
 # tracing.SamplerRate is the rate at which opentrace span data will be collected and sent
 # If SamplerRate is <= 0 Never sample
 # If SamplerRate is >= 1.0 always sample
@@ -1090,8 +1108,10 @@
 # The default is
 # tracing.SamplerRate = -1
 
+
 # tracing.SpanHost sets host information.
 # This is used to specify additional information when sending spans to a collector
 #
 # The default is
 # tracing.SpanHost = localhost:9998
+
diff --git a/route/access_rules.go b/route/access_rules.go
@@ -75,24 +75,24 @@ func (t *Target) AccessDeniedTCP(c net.Conn) bool {
 	if len(t.accessRules) == 0 {
 		return false
 	}
-	// validate remote address assertion
-	if addr, ok := c.RemoteAddr().(*net.TCPAddr); !ok {
+	// get remote address and validate assertion
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
 		log.Printf("[ERROR] failed to assert remote connection address for %s", t.Service)
 		return false
-		// check remote connection address
-		if t.denyByIP(addr.IP) {
-			return true
-		}
+	}
+	// check remote connection address
+	if t.denyByIP(addr.IP) {
+		return true
 	}
 	// default allow
 	return false
 }
 
 func (t *Target) denyByIP(ip net.IP) bool {
-	if ip == nil || t.accessRules == nil {
+	if ip == nil || len(t.accessRules) == 0 {
 		return false
 	}
-
 	// check allow (whitelist) first if it exists
 	if _, ok := t.accessRules[ipAllowTag]; ok {
 		var block *net.IPNet