Feature request: please support the Haproxy PROXY protocol

[rfc1036]

Implementing TLS termination in a different process is a good idea, because it allows to use multiple CPU cores and keeps the complex TLS code outside of the ircd event loop.

The problem with the currently recommended design using stunnel is that it requires configuring transparent proxying, which itself requires enabling connection tracking in the Linux kernel. This is bad, because connection tracking causes a significant overhead when defending from DoS attacks.

The PROXY protocol allows a TCP or UDP proxy to pass to the backend the original IP address of the proxied connection, hence removing the need for transparent proxying.
While it was originally invented by the Haproxy developers, nowadays it is implemented also by nginx, stunnel and many other programs.

For details and an example implementation see https://www.haproxy.org/download/3.2/doc/proxy-protocol.txt.

[patrick-irc]

Summary

• Listeners can be configured to require PROXY Protocol v2.
• For such connections, the server waits for the PROXY Protocol v2 header before completing connection setup.
  • The header is parsed to override the client’s source IP and port.
  • Until the header is successfully received and processed, DNS resolution, ident lookups, and clone checks and client registration are deferred.
• Only connections from trusted proxy addresses are allowed to send PROXY headers.

Details

ircd.conf

A new flag for P-line has been introduced: P enables Proxy Protocol v2 support.

If this flag is set, a Proxy protocol v2 header MUST be sent after connecting, otherwise the client will be disconnected.

config.h

/*
 * Only connections originating from these addresses are allowed to provide
 * Proxy protocol v2 headers to pass the real client IP.
 *
 * Notes:
 * - Only add internal proxy IP addresses
 * - Incorrect or overly broad entries may allow IP spoofing attacks
 */
#define TRUSTED_PROXY_ADDRESSES "127.0.0.1", "::1" 

Logging

&ERRORS

:irc.example.org NOTICE &ERRORS :Invalid PROXY protocol header from 127.0.0.1

This typically indicates one of:

• misconfiguration (e.g. proxy not sending v2 header) [action required]
• mismatch between proxy and ircd implementation [action required]
• a direct client connection to a port reserved for proxy use

&LOCAL

:irc.example.org NOTICE &LOCAL :Rejecting PROXY protocol connection from 127.0.0.2

Occurs if the source IP address is not listed in TRUSTED_PROXY_ADDRESSES.
Not logged to &ERRORS because it could be triggered by network scanners (depending on the setup).

Sample setup

ircd.conf:

• P = Proxy Protocol v2
• T = Marks the port and its client as TLS (indicator only, introduced in 2.11.3)

P|127.0.0.1|||6697||TP|

haproxy.conf:

frontend irc-ssl-ipv4
    bind <external-IP>:6697 ssl crt /etc/ssl/private/irc.pem
    default_backend irc-backend-ipv4

backend irc-backend-ipv4
    server ircd1 127.0.0.1:6697 send-proxy-v2

frontend irc-ssl-ipv6
    bind [external_ip6]:6697 ssl crt /etc/ssl/private/irc.pem
    default_backend irc-backend-ipv6

backend irc-backend-ipv6
    server ircd2 [::1]:6697 send-proxy-v2

(and the same for port 6679)

Also ensure that the timeout settings do not disconnect idle clients!