prosody-modules
fe081789f7b5
mod_net_proxy/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Diff

mod_net_proxy/README.md @ 6003:fe081789f7b5

All community modules: Unify file extention of Markdown files to .md
author Menel <menel@snikket.de>
date Tue, 22 Oct 2024 10:26:01 +0200
parent 4944:9d65eb3fcb15
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_net_proxy/README.md	Tue Oct 22 10:26:01 2024 +0200
@@ -0,0 +1,179 @@
+---
+labels:
+- 'Stage-Alpha'
+summary: 'Implementation of PROXY protocol versions 1 and 2'
+...
+
+Introduction
+============
+
+This module implements the PROXY protocol in versions 1 and 2, which fulfills
+the following usecase as described within the official protocol specifications:
+
+> Relaying TCP connections through proxies generally involves a loss of the
+> original TCP connection parameters such as source and destination addresses,
+> ports, and so on.
+> 
+> The PROXY protocol's goal is to fill the server's internal structures with the
+> information collected by the proxy that the server would have been able to get
+> by itself if the client was connecting directly to the server instead of via a
+> proxy.
+
+You can find more information about the PROXY protocol on
+[the official website](https://www.haproxy.com/blog/haproxy/proxy-protocol/)
+or within
+[the official protocol specifications.](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+
+
+Usage
+=====
+
+Copy the plugin into your prosody's modules directory. And add it
+between your enabled modules into the global section (modules\_enabled).
+
+As the PROXY protocol specifications do not allow guessing if the PROXY protocol
+shall be used or not, you need to configure separate ports for all the services
+that should be exposed with PROXY protocol support:
+
+```lua
+--[[
+  Maps TCP ports to a specific Prosody network service. Further information about
+  available service names can be found further down below in the module documentation.
+]]-- 
+proxy_port_mappings = {
+	[15222] = "c2s",
+	[15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+	"192.168.10.1",
+	"172.16.0.0/16"
+}
+
+--[[
+  While you can manually override the ports this module is listening on with
+  the "proxy_ports" directive, it is highly recommended to not set it and instead
+  only configure the appropriate mappings with "proxy_port_mappings", which will
+  automatically start listening on all mapped ports.
+
+  Example: proxy_ports = { 15222, 15269 }
+]]--
+```
+
+The above example configuration, which needs to be placed in the global section,
+would listen on both tcp/15222 and tcp/15269. All incoming connections have to 
+originate from trusted hosts/networks (configured by _proxy_trusted_proxies_) and
+must be initiated by a PROXYv1 or PROXYv2 sender. After processing the PROXY
+protocol, those connections will get mapped to the configured service name.
+
+Please note that each port handled by _mod_net_proxy_ must be mapped to another
+service name by adding an item to _proxy_port_mappings_, otherwise a warning will
+be printed during module initialization and all incoming connections to unmapped ports
+will be dropped after processing the PROXY protocol requests.
+
+The service name can be found by analyzing the source of the module, as it is the
+same name as specified within the _name_ attribute when calling
+`module:provides("net", ...)` to initialize a network listener. The following table
+shows the names for the most commonly used Prosody modules:
+
+  ------------- --------------------------
+  **Module**    **Service Name**
+  c2s           c2s (Plain/StartTLS)
+  s2s           s2s (Plain/StartTLS)
+  proxy65       proxy65 (Plain)
+  http          http (Plain)
+  net_multiplex multiplex (Plain/StartTLS)
+  ------------- --------------------------
+
+This module should work with all services that are providing ports which either
+offer plaintext or StartTLS-based encryption. Please note that instead of using
+this module for HTTP-based services (BOSH/WebSocket) it might be worth resorting
+to use proxy which is able to process HTTP and insert a _X-Forwarded-For_ header
+instead.
+
+
+Example
+=======
+
+This example provides you with a Prosody server that accepts regular connections on
+tcp/5222 (C2S) and tcp/5269 (S2S) while also offering dedicated PROXY protocol ports
+for both modules, configured as tcp/15222 (C2S) and tcp/15269 (S2S):
+
+```lua
+c2s_ports = {5222}
+s2s_ports = {5269}
+proxy_port_mappings = {
+	[15222] = "c2s",
+	[15269] = "s2s"
+}
+```
+
+After adjusting the global configuration of your Prosody server accordingly, you can
+configure your desired sender accordingly. Below is an example for a working HAProxy
+configuration which will listen on the default XMPP ports (5222+5269) and connect to
+your XMPP backend running on 192.168.10.10 using the PROXYv2 protocol:
+
+```
+defaults d-xmpp
+	log global
+	mode tcp
+	option redispatch
+	option tcplog
+	option tcpka
+	option clitcpka
+	option srvtcpka
+	
+	timeout connect 5s
+	timeout client 24h
+	timeout server 60m
+
+frontend f-xmpp
+	bind :::5222,:::5269 v4v6
+	use_backend b-xmpp-c2s if { dst_port eq 5222 }
+	use_backend b-xmpp-s2s if { dst_port eq 5269 }
+	
+backend b-xmpp-c2s
+	balance roundrobin
+	option independent-streams
+	server mycoolprosodybox 192.168.10.10:15222 send-proxy-v2
+	
+backend b-xmpp-s2s
+	balance roundrobin
+	option independent-streams
+	server mycoolprosodybox 192.168.10.10:15269 send-proxy-v2
+```
+
+
+Limitations
+===========
+
+It is currently not possible to use this module for offering PROXY protocol support
+on SSL/TLS ports, which will automatically initiate a SSL handshake. This might be
+possible in the future, but it currently does not look like this could easily be
+implemented due to the current handling of such connections.
+
+
+Important Notes
+===============
+
+Please do not expose any ports offering PROXY protocol to the internet - while regular
+clients will be unable to use them anyways, it is outright dangerous and allows anyone
+to spoof the actual IP address. It is highly recommended to only allow PROXY
+connections from trusted sources, e.g. your loadbalancer.
+
+
+Compatibility
+=============
+
+  ----- -----
+  trunk Works
+  0.12  Works
+  0.11  Works
+  0.10  Works
+  ----- -----