search

dlundquist / sniproxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.
BSD 2-Clause "Simplified" License
2.57k stars 398 forks source link

proxy_protocol reports IPv4 on IPv6 listeners as IPv6 #333

Open ntninja opened 5 years ago

ntninja commented 5 years ago

I just reported a bug with Apache with seems to choke on this, but it probably should be fixed at the source (that is, in sniproxy).

Basically sniproxy will emit PROXY-protocol lines such as this when receiving an IPv4 connection on a socket bound to IPv6:

PROXY TCP6 ::ffff:1.1.1.1 ::ffff:172.21.0.3 49122 80

Instead of reporting it as TCP4 to the backend it will instead send an IPv4-mapped IPv6 address. While this is valid in theory, it doesn't appear to be faithful implementation of the spec (why would there be an TCP4 type otherwise?) and at least Apache's mod_remoteip chokes on it. It may also be part of the reason why sniproxy doesn't work with caddy-proxyprotocol.

Either way, I'll add the usual thank you when reporting a bug as sniproxy is a very useful piece of software and saves me from having to learn haproxy. :slightly_smiling_face:

ntninja commented 5 years ago

BTW, the workaround for the issue with Apache is to force separate IPv4 and IPv6 listen ports:

listener 0.0.0.0:80 {
    protocol http

    fallback http:80 proxy
}

listener [::]:80 {
    protocol http
    ipv6_v6only yes

    fallback http:80 proxy
}

listener 0.0.0.0:443 {
    protocol tls

    fallback http:443 proxy
}

listener [::]:443 {
    protocol tls
    ipv6_v6only yes

    fallback http:443 proxy
}