gw: implement proxy protocol with server-side control#649
Closed
gw: implement proxy protocol with server-side control#649
Conversation
Add PROXY protocol support to the gateway with two server-side config options instead of client-controlled SNI suffixes: - inbound_pp_enabled: read PP headers from upstream load balancers - outbound_pp_enabled: send PP headers to backend apps The original PR#361 used a 'p' suffix in the SNI subdomain to toggle outbound PP per-connection. This is a security flaw: a client could connect to a PP-expecting port without sending PP headers, allowing source address spoofing. Both flags are now server-side config only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supersedes #361. Adds PROXY protocol support to the gateway with a security fix:
inbound_pp_enabled): reads PP headers from upstream load balancers (e.g. Cloudflare)outbound_pp_enabled): forwards PP headers to backend appsSecurity fix vs #361
The original PR used a
psuffix in the SNI subdomain (e.g.app-8080p.domain.com) to toggle outbound PP per-connection. This is client-controlled and introduces a source address spoofing vulnerability: a client can connect to a PP-expecting backend port without thepsuffix, bypassing the PP header and letting the backend misinterpret raw TCP data or fall back to the direct connection address. Both PP flags are now server-side config only.Changes
gateway/src/pp.rsmodule: PP header parsing (v1/v2) and synthetic header creationinbound_pp_enabled,outbound_pp_enabled,pp_headertimeoutpsuffix in SNI parsing — PP decision is purely server-sideTest plan
cargo check -p dstack-gatewaypassesinbound_pp_enabled = truebehind a PP-aware proxyoutbound_pp_enabled = truewith a PP-aware backend