fix: add the proxy-protocol option (#33276)

* fix: add the proxy-protocol-enabled option

closes: #10492

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update docs/guides/server/reverseproxy.adoc

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
This commit is contained in:
Steven Hawkins 2024-09-27 17:44:59 -04:00 committed by GitHub
parent fc76bad1fd
commit cf2ecf87f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 47 additions and 4 deletions

View file

@ -198,6 +198,10 @@ The `proxy-trusted-addresses` can be used when the `proxy-headers` option is set
The `https-certificates-reload-period` option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour). The `https-certificates-reload-period` option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).
= Option `proxy-protocol-enabled` added
The `proxy-protocol-enabled` option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.
= Options to configure cache max-count added = Options to configure cache max-count added
The `--cache-embedded-$\{CACHE_NAME}-max-count=` can be set to define an upper bound on the number of cache entries in the specified cache. The `--cache-embedded-$\{CACHE_NAME}-max-count=` can be set to define an upper bound on the number of cache entries in the specified cache.

View file

@ -134,6 +134,16 @@ For example:
<@kc.start parameters="--proxy-headers forwarded --proxy-trusted-addresses=192.168.0.32,127.0.0.0/8"/> <@kc.start parameters="--proxy-headers forwarded --proxy-trusted-addresses=192.168.0.32,127.0.0.0/8"/>
== PROXY Protocol
The `proxy-protocol-enabled` option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.
This is useful when running behind a compatible https passthrough proxy because the request headers cannot be manipulated.
For example:
<@kc.start parameters="--proxy-protocol-enabled true"/>
== Enabling client certificate lookup == Enabling client certificate lookup
When the proxy is configured as a TLS termination proxy the client certificate information can be forwarded to the server through specific HTTP request headers and then used to authenticate When the proxy is configured as a TLS termination proxy the client certificate information can be forwarded to the server through specific HTTP request headers and then used to authenticate

View file

@ -14,6 +14,12 @@ public class ProxyOptions {
.description("The proxy headers that should be accepted by the server. Misconfiguration might leave the server exposed to security vulnerabilities. Takes precedence over the deprecated proxy option.") .description("The proxy headers that should be accepted by the server. Misconfiguration might leave the server exposed to security vulnerabilities. Takes precedence over the deprecated proxy option.")
.build(); .build();
public static final Option<Boolean> PROXY_PROTOCOL_ENABLED = new OptionBuilder<>("proxy-protocol-enabled", Boolean.class)
.category(OptionCategory.PROXY)
.description("Whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.")
.defaultValue(Boolean.FALSE)
.build();
public static final Option<Boolean> PROXY_FORWARDED_HOST = new OptionBuilder<>("proxy-forwarded-host", Boolean.class) public static final Option<Boolean> PROXY_FORWARDED_HOST = new OptionBuilder<>("proxy-forwarded-host", Boolean.class)
.category(OptionCategory.PROXY) .category(OptionCategory.PROXY)
.defaultValue(Boolean.FALSE) .defaultValue(Boolean.FALSE)

View file

@ -13,7 +13,6 @@ final class HealthPropertyMappers {
return new PropertyMapper[] { return new PropertyMapper[] {
fromOption(HealthOptions.HEALTH_ENABLED) fromOption(HealthOptions.HEALTH_ENABLED)
.to("quarkus.smallrye-health.extensions.enabled") .to("quarkus.smallrye-health.extensions.enabled")
.paramLabel(Boolean.TRUE + "|" + Boolean.FALSE)
.build() .build()
}; };
} }

View file

@ -34,11 +34,9 @@ public final class HttpPropertyMappers {
fromOption(HttpOptions.HTTP_ENABLED) fromOption(HttpOptions.HTTP_ENABLED)
.to("quarkus.http.insecure-requests") .to("quarkus.http.insecure-requests")
.transformer(HttpPropertyMappers::getHttpEnabledTransformer) .transformer(HttpPropertyMappers::getHttpEnabledTransformer)
.paramLabel(Boolean.TRUE + "|" + Boolean.FALSE)
.build(), .build(),
fromOption(HttpOptions.HTTP_SERVER_ENABLED) fromOption(HttpOptions.HTTP_SERVER_ENABLED)
.to("quarkus.http.host-enabled") .to("quarkus.http.host-enabled")
.paramLabel(Boolean.TRUE + "|" + Boolean.FALSE)
.build(), .build(),
fromOption(HttpOptions.HTTP_HOST) fromOption(HttpOptions.HTTP_HOST)
.to("quarkus.http.host") .to("quarkus.http.host")

View file

@ -16,7 +16,6 @@ final class MetricsPropertyMappers {
return new PropertyMapper[] { return new PropertyMapper[] {
fromOption(MetricsOptions.METRICS_ENABLED) fromOption(MetricsOptions.METRICS_ENABLED)
.to("quarkus.micrometer.enabled") .to("quarkus.micrometer.enabled")
.paramLabel(Boolean.TRUE + "|" + Boolean.FALSE)
.build() .build()
}; };
} }

View file

@ -21,6 +21,9 @@ final class ProxyPropertyMappers {
.transformer((v, c) -> proxyEnabled(null, v, c)) .transformer((v, c) -> proxyEnabled(null, v, c))
.paramLabel("headers") .paramLabel("headers")
.build(), .build(),
fromOption(ProxyOptions.PROXY_PROTOCOL_ENABLED)
.to("quarkus.http.proxy.use-proxy-protocol")
.build(),
fromOption(ProxyOptions.PROXY_FORWARDED_HOST) fromOption(ProxyOptions.PROXY_FORWARDED_HOST)
.to("quarkus.http.proxy.enable-forwarded-host") .to("quarkus.http.proxy.enable-forwarded-host")
.mapFrom("proxy-headers") .mapFrom("proxy-headers")

View file

@ -267,6 +267,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.

View file

@ -302,6 +302,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.

View file

@ -268,6 +268,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.

View file

@ -303,6 +303,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.

View file

@ -220,6 +220,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.

View file

@ -255,6 +255,10 @@ Proxy:
The proxy headers that should be accepted by the server. Misconfiguration The proxy headers that should be accepted by the server. Misconfiguration
might leave the server exposed to security vulnerabilities. Takes precedence might leave the server exposed to security vulnerabilities. Takes precedence
over the deprecated proxy option. Possible values are: forwarded, xforwarded. over the deprecated proxy option. Possible values are: forwarded, xforwarded.
--proxy-protocol-enabled <true|false>
Whether the server should use the HA PROXY protocol when serving requests from
behind a proxy. When set to true, the remote address returned will be the
one from the actual connecting client. Default: false.
--proxy-trusted-addresses <trusted proxies> --proxy-trusted-addresses <trusted proxies>
A comma separated list of trusted proxy addresses. If set, then proxy headers A comma separated list of trusted proxy addresses. If set, then proxy headers
from other addresses will be ignored. By default all addresses are trusted. from other addresses will be ignored. By default all addresses are trusted.