Feature #4247
closed
PATCH: enable PROXY protocol and X-Forwarded-For
100%
Description
Dear developers,
For a research demo we have implemented the PROXY protocol support in HTTP connections. It’s based on the X-Forwarded-For patch from Steffen Vogel. And as someone has requested this functionality, we want to share our patch. It’s fully tested and functional.
Title: [TVHE-devel] enable PROXY protocol and X-Forwarded-For
Description: Adds support for the PROXY protocol in incoming TCP connections. Also adds support for the ‘X-Forwarded-For’ header in HTTP connections.
Comments: This new expert functionality is completely optional. By default is disabled. If you enable it, then it’s fully transparent. However, when enabled you can connect to any TCP listening port and use the PROXY protocol to first send the original IP address of the remote client. Also you can use the HTTP protocol header ‘X-Forwarded-For’ for the same functionality. If both are used in the same HTTP connection (PROXY & 'X-Forwarded-For') then the HTTP header has preference.
User case: When you are running the TVHE in a container with a virtual IP address and use a proxy server to route incoming connections. This functionality shows the correct IP address of the client if the proxy server forwards it.
Warning: It’s recommended to only enable this option when the TVHE server is behind a firewall forwarding the client address. If not, a malicious client might spoof the source address.
Related work:
- PROXY protocol description:
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
- 'X-Forwarded-For' header description:
http://tools.ietf.org/html/rfc7239
- Original X-Forwarded-For patch from Steffen Vogel:
http://github.com/tvheadend/tvheadend/pull/640
You can merge it with the main branch if you want. As by default it’s disabled, it doesn’t creates a security hole.
Regards!
D.
Files
Updated by 
Updated by 
Updated by 
Updated by