[HAPROXY] use $SOURCEIP instead of $PROXIED_SRCIP#361
Merged
MrAnno merged 24 commits intoaxoflow:mainfrom Feb 7, 2025
Merged
Conversation
cdfd3b6 to
c2c1e8f
Compare
58f020f to
dff7494
Compare
672e0c2 to
1c9e896
Compare
1c9e896 to
5ee3ffd
Compare
b3b5bc7 to
e8322f7
Compare
Member
Author
|
This is now ready for review and I think would be a better solution than #482 with the same fix. |
Member
Author
|
@OverOrion @MrAnno could you re-review this, so we can merge this instead of #482? |
MrAnno
reviewed
Feb 3, 2025
Contributor
|
I'm reviewing it. |
OverOrion
reviewed
Feb 3, 2025
Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
…ransportStack Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
Previously TLS compression was enabled using an overly complicated mechanism crossing a number of layers (TransportMapperInet -> TransportFactoryTLS -> TLSSession -> SSL). This can be a lot simpler, which this patch implements. NOTE: compression will not work in most cases due to OpenSSL security levels and this patch adds a warning about it. Signed-off-by: Balazs Scheidler <[email protected]>
Instead of going to the fd directly, wrap the lower-level LogTransport instance into a BIO and use that. This implements proper stacking for LogTransportTLS. This adds the use of OpenSSL BIOs to wrap the lower level LogTransport instance. Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
…rtStack level Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
…sages The "auto" protocol can be applied to both syslog() and network(), so it's not strictly RFC6587 related and it does not add too much information anyway. Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
Instead of using proxy protocol specific name value pairs, set the addresses in the message's saddr/daddr members. This should be a lot faster and a lot easier to use. Signed-off-by: Balazs Scheidler <[email protected]>
…resses Signed-off-by: Balazs Scheidler <[email protected]>
…e_index Signed-off-by: Balazs Scheidler <[email protected]>
…e message Signed-off-by: Balazs Scheidler <[email protected]>
This reworks the various boolean members in TransportMapperInet that control which logproto/transport we apply to a specific connection. With these renames, it's much easier to follow what happens and why. NOTE: there's a followup bugfix that fixes the same bug as axoflow#482. Signed-off-by: Balazs Scheidler <[email protected]>
"auto" has originally been planned to auto-detect TLS as well as framing format, but at this point it does not do TLS auto-detection. But this means that transport(auto) with tls() options set will start reading data without SSL, e.g. the encrypted stuff will make it into the messages received. This patch fixes that for both the syslog() and the network() driver. The only change is that delegate_tls_start_to_logproto is FALSE for the "auto" case. This will be changed once the TLS auto detection feature is also in. Signed-off-by: Balazs Scheidler <[email protected]>
… transports Signed-off-by: Balazs Scheidler <[email protected]>
Instead of just exercising the proxyprotocol try all valid transports, including the "auto" variants. Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
Signed-off-by: Balazs Scheidler <[email protected]>
e8322f7 to
6344ea8
Compare
MrAnno
reviewed
Feb 4, 2025
Contributor
MrAnno
left a comment
There was a problem hiding this comment.
I've started manual-testing the generic- and TLS-related transport changes (I think we need thorough testing since this touches core functionality).
Contributor
|
I've tested the TLS-related changes on a real network connection through multiple hops, it works as expected. |
Signed-off-by: Balazs Scheidler <[email protected]>
This was a one-off allocation, but it's better if it is freed. Signed-off-by: Balazs Scheidler <[email protected]>
d05bb69 to
704ded6
Compare
Member
Author
|
@MrAnno I've resolved the memory leak and did not add BIO_set_nbio() call and resolved your comments. Let me know if you agree. Thanks |
MrAnno
approved these changes
Feb 7, 2025
fekete-robert
pushed a commit
to axoflow/axosyslog-core-docs
that referenced
this pull request
Feb 15, 2025
fekete-robert
pushed a commit
to axoflow/axosyslog-core-docs
that referenced
this pull request
Feb 15, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a large refactor of the HAProxy support, and preparations for protocol auto detection. It also changes the HAProxy support to use the standard source/destination addresses in LogMessage, instead of a proxy specific values e.g. $SOURCEIP instead of $PROXIED_SRCIP.
Short summary of the patches: