VAULT-6803: fix listener issue if using proxy_protocol_behavior with deny_unauthorized for untrusted upstream connections
#27589
Conversation
…listener-proxy-behavior-bug-allow-deny
…listener-proxy-behavior-bug-allow-deny
peteski22
added
bug
|
CI Results: |
|
Build Results: |
| var server net.Conn | ||
| select { | ||
| case <-time.After(3 * time.Second): | ||
| case server = <-serverCh: | ||
| } |
There was a problem hiding this comment.
Added a timeout to the tests as the forked library now never stops listening until it can return a valid connection.
| @@ -72,7 +71,7 @@ func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.List | |||
| return proxyproto.IGNORE, nil | |||
| } | |||
|
|
|||
| return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`) | |||
| return proxyproto.REJECT, proxyproto.ErrInvalidUpstream | |||
There was a problem hiding this comment.
This is the change that keeps the listener waiting for a valid connection.
https://github.com/peteski22/go-proxyproto/blob/v1.0.0/protocol.go#L85-L88
|
|
||
| // Support using the forked repository until https://github.com/pires/go-proxyproto/pull/110 merges | ||
| // and is released. | ||
| replace github.com/pires/go-proxyproto v1.0.0 => github.com/peteski22/go-proxyproto v1.0.0 |
There was a problem hiding this comment.
Info on forked repo tag.
Keep listener listening if upstream connection address is not trusted (but close that connection).
Releases the changes requested on pires's go-proxyproto by pires/go-proxyproto#110.
Bumped to v1.0.0 which doesn't exist as a tag on the maintainer's repo but does on the forked repo. Suspect that if the maintainer accepts the PR and tags it, semver suggests the breaking change to Accept means v1.0.0 is likely.
There was a problem hiding this comment.
The change here can now be updated and the replace removed, as the PR was accepted, merged and tagged:
https://github.com/pires/go-proxyproto/releases/tag/v0.8.0
There was a problem hiding this comment.
Is it possible to add a test that fails before this change but passes afterwards? I'm not particularly familiar with this area of the code so it would especially help increase my confidence both now and in the future if we could exercise this code path and bug fix in a test
I had been testing this manually using https://github.com/muhtasimmaleque/Vault-docker-listener-bug and Linux Vault binaries I'd built before/after the change. |
|
Sorry, I think I could have worded that better: is it possible to add an automated Go test for this bug? That would also increase confidence if/when we move from the fork that it still works, without needing to re-do the manual testing |
This fails before the change, and passes afterwards. Between this and the manual testing steps in the Jira associated with the branch we should be able to prevent a regression and reproduce any issues. |
peteski22
deleted the
peteski22/VAULT-6803/listener-proxy-behavior-bug-allow-deny
branch
peteski22
added
backport/ent/1.15.x+ent
backport/ent/1.16.x+ent
Description
This PR corrects an issue introduced when supported was added for
PROXY v2on TCP listeners usingproxy_protocol_behavior.This issue was introduced in Vault
v1.10.0and has impacted all subsequent versions other thanv1.16.x(due to a bug parsing this config setting).Any listener configured to
deny_unauthorizedwill still close a connection when the upstream proxy is untrusted, but it will now continue to listen for connections until a valid one is found. It does this by returningErrInvalidUpstreamto the proxy library.NOTE: the issue is only present if this config setting
proxy_protocol_behavioris enabled and set todeny_unauthorized.HashiCorp checklist
getting backported to N-2, use the new style
backport/ent/x.x.x+entlabelsinstead of the old style
backport/x.x.xlabels.the normal
backport/x.x.xlabel (there should be only 1).ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signatureof a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
RFC: If this change has an associated RFC, please link it in the description.ENT PR: If this change has an associated ENT PR, please link it in thedescription. Also, make sure the changelog is in this PR, not in your ENT PR.