Feature Request: Implement the PROXY protocol

vi / websocat

Command-line client for WebSockets, like netcat (or curl) for ws:// with advanced socat-like functions

MIT License

7.02k stars 272 forks source link

Feature Request: Implement the PROXY protocol #37

Open kjvalencik opened 5 years ago

kjvalencik commented 5 years ago

It would be useful to send a PROXY protocol header when proxying a TCP server. This would allow the application to map back to the original addresses.

http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

Prior art: https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/

vi commented 5 years ago

The protocol looks involved; there are two versions... What other software support it, apart from haproxy?

What is main advantage compared to SOCKS5 and HTTP CONNECT? (Or maybe I don't understand how it is used).

Is there a ready-made implementation for Rust/Tokio?

kjvalencik commented 5 years ago

There are a few examples of software that support it here.

As far as I know, there is not a ready-made Rust implementation. I was able to find a couple of small examples on github, but nothing robust.

The main advantage is that it allows simple TCP servers to recover the original IP address. When combined with Cloudflare's mmproxy it can even be used without direct support from the TCP server itself.

I have not been able to find a ws-to-tcp bridge that supports it.

vi commented 5 years ago

Do you want websocat to accept connections prefixed by that proxy header or initiate them (or both)?

Which tool available in Debian packages is to be used to test, explore and experiment how this protocol works? Is nginx enough or it is only a half or the feature?

Is there any netcat-, curl- or socat-like tool that can use PROXY protocol from simple command-line invocations without writing any config files?

kjvalencik commented 5 years ago

My specific use case is to send the headers. I'll do some more investigation and get back to you. Thanks!

vi commented 5 years ago

You may also include how such header should look in e.g. Wireshark.

Documentation at haproxy contains some examples, but it's better to see more full picture.

Also what is the name of this proxy protocol? Is there an RFC? Definitely it shouldn't be called just a "proxy" (i.e. --proxy switch or proxy: specifier).

vi commented 5 years ago

Crude prototype:

websocat -t - --ws-c-uri=ws://lol/kek ws-c:sh-c:'( printf "PROXY TCP4 0.0.0.0 0.0.0.0 0 0\r\n"; cat ) | nc 127.0.0.1 1234'

$ nc -lp 1234
PROXY TCP4 0.0.0.0 0.0.0.0 0 0
GET /kek HTTP/1.1
Host: lol
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: NiVUsXbHCu/bTNJxe4pexQ==

vi commented 5 years ago

If there is a tool for using such proxies like connect-proxy or corkscrew then it is rather easy to call it from Websocat (including in TLS mode).