feat: (WIP) Proxy Protocol Check for Traffic Endpoint

cloudfoundry · Apr 16, 2024 · c017307 · c017307
1 parent c921f3f
commit c017307
Show file tree

Hide file tree

Showing 7 changed files with 136 additions and 1 deletion.
diff --git a/acceptance-tests/go.mod b/acceptance-tests/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/gorilla/websocket v1.5.1
 	github.com/onsi/ginkgo/v2 v2.16.0
 	github.com/onsi/gomega v1.31.1
+	github.com/pires/go-proxyproto v0.7.0
 	golang.org/x/crypto v0.21.0
 	golang.org/x/net v0.22.0
 	gopkg.in/yaml.v2 v2.4.0

diff --git a/acceptance-tests/go.sum b/acceptance-tests/go.sum
@@ -22,6 +22,8 @@ github.com/onsi/ginkgo/v2 v2.16.0 h1:7q1w9frJDzninhXxjZd+Y/x54XNjG/UlRLIYPZafsPM
 github.com/onsi/ginkgo/v2 v2.16.0/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
 github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

diff --git a/acceptance-tests/proxy_protocol_test.go b/acceptance-tests/proxy_protocol_test.go
@@ -0,0 +1,109 @@
+package acceptance_tests
+
+import (
+	"fmt"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	proxyproto "github.com/pires/go-proxyproto"
+	"net"
+	"net/http"
+)
+
+var _ = Describe("Proxy Protocol", func() {
+	opsfileProxyProtocol := `---
+# Enable Proxy Protocol
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/accept_proxy?
+  value: true
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/enable_health_check_http?
+  value: true
+- type: replace
+  path: /instance_groups/name=haproxy/jobs/name=haproxy/properties/ha_proxy/disable_health_check_proxy?
+  value: false
+`
+
+	It("Correctly proxies Proxy Protocol requests", func() {
+		haproxyBackendPort := 12000
+		haproxyInfo, _ := deployHAProxy(baseManifestVars{
+			haproxyBackendPort:    haproxyBackendPort,
+			haproxyBackendServers: []string{"127.0.0.1"},
+			deploymentName:        deploymentNameForTestNode(),
+		}, []string{opsfileProxyProtocol}, map[string]interface{}{}, true)
+
+		closeLocalServer, localPort := startDefaultTestServer()
+		defer closeLocalServer()
+
+		closeTunnel := setupTunnelFromHaproxyToTestServer(haproxyInfo, haproxyBackendPort, localPort)
+		defer closeTunnel()
+
+		By("Sending a request with Proxy Protocol Header to HAProxy traffic port")
+		err := performProxyProtocolRequest(haproxyInfo.PublicIP, 80, "/")
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Sending a request without Proxy Protocol Header to HAProxy")
+		expect400(http.Get(fmt.Sprintf("http://%s", haproxyInfo.PublicIP)))
+
+		By("Sending a request with Proxy Protocol Header to HAProxy healthcheck port")
+		err = performProxyProtocolRequest(haproxyInfo.PublicIP, 8080, "/health")
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Sending a request without Proxy Protocol Header to HAProxy healthcheck port")
+		expect400(http.Get(fmt.Sprintf("http://%s:8080/health", haproxyInfo.PublicIP)))
+	})
+})
+
+func performProxyProtocolRequest(ip string, port int, endpoint string) error {
+	// Create a connection to the HAProxy instance
+	conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", ip, port))
+	if err != nil {
+		return err
+	}
+
+	defer conn.Close()
+
+	// Create proxy protocol header
+	header := &proxyproto.Header{
+		Version:           1,
+		Command:           proxyproto.PROXY,
+		TransportProtocol: proxyproto.TCPv4,
+		SourceAddr: &net.TCPAddr{
+			IP:   net.ParseIP("10.1.1.1"),
+			Port: 1000,
+		},
+		DestinationAddr: &net.TCPAddr{
+			IP:   net.ParseIP(ip),
+			Port: port,
+		},
+	}
+
+	// Write header to the connection
+	_, err = header.WriteTo(conn)
+	if err != nil {
+		return err
+	}
+
+	// Send HTTP Request
+	request := fmt.Sprintf("GET %s HTTP/1.1\r\n"+
+		"Host: %s\r\n"+
+		"Content-Length: 0\r\n"+
+		"Content-Type: text/plain\r\n"+
+		"\r\n", endpoint, ip)
+	_, err = conn.Write([]byte(request))
+	if err != nil {
+		return err
+	}
+
+	// Read the response
+	buf := make([]byte, 1024)
+	_, err = conn.Read(buf)
+	if err != nil {
+		return err
+	}
+
+	// Get HTTP status code
+	if string(buf[9:12]) != "200" {
+		return fmt.Errorf("expected HTTP status code 200, got %s", string(buf))
+	}
+	return nil
+}
diff --git a/ci/scripts/acceptance-tests b/ci/scripts/acceptance-tests
@@ -15,6 +15,11 @@ if [ -n "$FOCUS" ]; then
 fi
 
 cd ${REPO_ROOT:?required}
+
+# TODO TEMPORARY: REMOVE BEFORE MERGE
+git config --global --add safe.directory /repo
+git config --global --add safe.directory /repo/src/ttar
+
 echo "----- Pulling in any git submodules..."
 git submodule update --init --recursive --force
 

diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec
@@ -514,6 +514,9 @@ properties:
   ha_proxy.disable_tcp_accept_proxy:
     description: "Disables the PROXY protocol on tcp backends. Only applies if `ha_proxy.accept_proxy` is enabled."
     default: false
+  ha_proxy.disable_health_check_proxy:
+    description: "Disables the use of the PROXY protocol for health checks. Only applies if `ha_proxy.accept_proxy` is enabled."
+    default: false
   ha_proxy.binding_ip:
     description: "If there are multiple ethernet interfaces, specify which one to bind. Set to `::` to bind to all IPv6 interfaces (no IPv4). IPv6 must be enabled on the HAProxy VM in the deployment manifest."
     default: ""

diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
@@ -325,7 +325,7 @@ listen health_check_http_url
     mode http
     option httpclose
     monitor-uri /health
-    <%- if p("ha_proxy.accept_proxy") -%>
+    <% if p("ha_proxy.accept_proxy") && !p("ha_proxy.disable_health_check_proxy") -%>
     tcp-request connection expect-proxy layer4 unless LOCALHOST
     <%- end -%>
     acl http-routers_down nbsrv(<%= backends.first[:name] %>) eq 0

diff --git a/spec/haproxy/templates/haproxy_config/healthcheck_listener_spec.rb b/spec/haproxy/templates/haproxy_config/healthcheck_listener_spec.rb
@@ -70,6 +70,21 @@
       it 'sets expect-proxy with exception for LOCALHOST' do
         expect(healthcheck_listener).to include('tcp-request connection expect-proxy layer4 unless LOCALHOST')
       end
+
+      context 'when ha_proxy.disable_health_check_proxy is also true' do
+        let(:properties) do
+          {
+            'enable_health_check_http' => true,
+            'accept_proxy' => true,
+            'disable_health_check_proxy' => true,
+          }
+        end
+
+        it 'does not set expect-proxy for the healthcheck' do
+          expect(healthcheck_listener).not_to include('tcp-request connection expect-proxy layer4 unless LOCALHOST')
+        end
+      end
+
     end
   end
 end