reg-tests/connection/proxy_protocol_tlv_validation.vtc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

varnishtest "Check that the TLVs are properly validated"

#REQUIRE_VERSION=2.4

feature ignore_unknown_macro

# We need one HAProxy for each test, because apparently the connection by
# the client is reused, leading to connection resets.

haproxy h1 -conf {
    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a correct header passes
client c1 -connect ${h1_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "12345"
    sendhex "02 00 05 31 32 33 34 35"

    txreq -url "/"
    rxresp
    expect resp.http.echo == "3132333435"
} -run

haproxy h2 -conf {
    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a TLV after the end of the PROXYv2 header is not parsed
# and handle by the HTTP parser, leading to a 400 bad request error
client c2 -connect ${h2_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "12345"
    sendhex "02 00 05 31 32 33 34 35"
    # after the end of the PROXYv2 header: PP2_TYPE_AUTHORITY + length of the value + "54321"
    sendhex "02 00 05 35 34 33 32 31"

    txreq -url "/"
    rxresp
    expect resp.status == 400
    expect resp.http.echo == <undef>
} -run

haproxy h3 -conf {
    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that a TLV length exceeding the PROXYv2 length fails
client c3 -connect ${h3_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + too small length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "1234512345"
    sendhex "02 00 0A 31 32 33 34 35 31 32 33 34 35"

    txreq -url "/"
    expect_close
} -run

haproxy h4 -conf {
    defaults
        mode http
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    frontend a
        bind "fd@${fe1}" accept-proxy
        http-after-response set-header echo %[fc_pp_authority,hex]
        http-request return status 200
} -start

# Validate that TLVs not ending with the PROXYv2 header fail
client c4 -connect ${h4_fe1_sock} {
    # PROXY v2 signature
    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
    # version + PROXY
    sendhex "21"
    # TCP4
    sendhex "11"
    # length of the address (12) + too big length of the TLV (8)
    sendhex "00 14"
    # 127.0.0.1 42 127.0.0.1 1337
    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
    # PP2_TYPE_AUTHORITY + length of the value + "1234"
    sendhex "02 00 04 31 32 33 34"

    txreq -url "/"
    expect_close
} -run