Feature #4078
Feature #4247: PATCH: enable PROXY protocol and X-Forwarded-For
Add support for PROXY-PROTOCOL
0%
Description
Hi,
I suggest to add support for PROXY-PROTOCOL in TCP input connections.
Here one example:
CLIENT ---> REVERSE PROXY ---> TVHEADENDWhen the client is RTSP (SAT>IP) the TCP connection can be proxied without difficults. However, the Thv server thinks the client is the PROXY, not the real client. With TCP transport protocols this ins't a problem. However, with protocols like RTSP when the transport is UDP you need to know the REAL IP of the client.
Then the suggestion is support the PROXY-PROTOCOL in input TCP connections. This protocol is quite simple to implement, just one line of text prior to start the byte-stream. However, this needs to be enabled explicitly to avoid problems.
See these links to understand the protocol:
http://blog.haproxy.com/haproxy/proxy-protocol/
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
I hope to see son support for this protocol in the 554 (RTSP) port.
History
Updated by Mono Polimorph about 8 years ago
Updated by Mono Polimorph wrote:
I suggest to add support for PROXY-PROTOCOL in TCP input connections.
I try to explain more:
- For support the PROXY-PROTOCOL one explicit port is needed to be open. So the suggestion is, for example, add to the SAT>IP server another "alternative PROXY port" to the 554. The original port continues open, and a new one (user configurable) speaks the PROXY protocol.
- The port implementing the PROXY protocol only needs to check the proxy command, and if any error is detected, then it closes the socket and rejects the connection. And if all goes right, then it sends the connection to the regular code. No changes need to be done after this check. Only save the original origin IP address for use it when a second connection needs to be stablished (UDP traffic send).
That's all! Anyone interested on it?
Updated by Mono Polimorph almost 8 years ago
Hi,
Regarding the PROXY-PROTOCOL, or the similar "X-Forwarded-For" header with HTTP (the difference is PROXY-PROTOCOL can work with any TCP socket, not only with the HTTP protocol). I suggest to add support for both. Obviously, you need to implement a whitelist for remote address with privileges to use it, as it can be used for IP spoofing (a big hole for security).
Please, for the "X-Forwarded-For" http header consider to add this patch:
http://github.com/tvheadend/tvheadend/pull/640
The idea is put the TvH server behind a strong firewall or loadbalancer.
Updated by saen acro almost 8 years ago
Updated by I'm using router for this for example Mikrotik
every client can have different nat port :9981-2
Updated by Mono Polimorph almost 8 years ago
saen acro wrote:
I'm using router for this for example Mikrotik
every client can have different nat port :9981-2
Yes, but this doesn't work for example with protocols like RTSP (SAT>IP). Also, how we can do loadbalancing with this solution?
I prefer to have support for PROXY-PROTOCOL and "X-Forwarded-For" headers to process the correct origing IP of the client (instead of use the TCP incoming IP address, as it's the one of the proxy/balancer/firewall).
Updated by saen acro almost 8 years ago
Better to ask about HLS support
SAT>IP out of lan, not good idea.
Updated by Mono Polimorph almost 8 years ago
saen acro wrote:
SAT>IP out of lan, not good idea.
SAT>IP in routed networks works perfect! For example in a Campus environment. However, you need a good firewall for multiple users.
In any case, PROXY-PROTOCOL is a very good functionality.
Also, the "X-Forwarded-For" header is already implemented. The main developer only needs to accept the contribution.
Please, understand that not all user have identical requirements. Not all environments are equal.
Updated by Jaroslav Kysela over 7 years ago
Updated by - Status changed from New to Rejected
- Parent task set to #4247
Will be fixed in bug #4247.