Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy protocol support on transport #3158

Closed
michelepra opened this issue Feb 1, 2023 · 4 comments
Closed

proxy protocol support on transport #3158

michelepra opened this issue Feb 1, 2023 · 4 comments
Labels
multistream Related to Janus 1.x pr-exists

Comments

@michelepra
Copy link
Contributor

some transport allow setting acl to limit access to resource (admin or api)
In environment where janus transport is behind proxy this acl is useless because janus take source address from only tcp socket and not http header

In a nutshell (for http and websocket transport) it should recover the source ip from http header (if set) and not only by data in sockaddr

In more general environment janus can support proxy protocol

What is the [Proxy Protocol](https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt)? It is a network protocol for preserving a client’s IP address when the client’s TCP connection passes through a proxy. Without such a mechanism, proxies lose this information because they act as a surrogate for the client, relaying messages to the server, but replacing the client’s IP address with their own. This distorts the logs of upstream servers because the logs incorrectly indicate that all traffic originated at the proxy. [...] The Proxy Protocol works by adding a header that contains the client’s IP address to the beginning of a TCP connection
@michelepra michelepra added the multistream Related to Janus 1.x label Feb 1, 2023
@lminiero
Copy link
Member

lminiero commented Feb 1, 2023
edited
Loading

I'd rather not implement proprietary mechanisms. If there's any standard header we can look at to figure out that information, I can see how complex it is to integrate in the HTTP and/or WS transport plugins.

Edit: I guess the X-Forwarded-For header you mentioned may be what to refer to, obviously disabled by default considering it's untrustworthy (it would be up to users to enable it once they know a proxy is indeed sitting in front of Janus). I'll add the enhancement tag to the issue, but not sure when I'll have time to work on it.

@michelepra
Copy link
Contributor Author

michelepra commented Feb 1, 2023
edited
Loading

PROXY protocol was defined by haproxy but is a de-facto standard for proxies operating at the transport and/or application layer.
Most popular on premise proxy like haproxy, nginx, varnish, stunnel or cloud provider like aws, gcp, azure or other thing like ibm iag support this. (service or software list is much longer)
I think is not so difficult to implement, ther's also C example or golang example

personally i rate X-Forwarded-For some sort of hack for http only but is also a de-facto standard.

When standard lack to coming people invent the wheel, so this wheel become standard 😅

@lminiero
Copy link
Member

lminiero commented Feb 2, 2023
edited
Loading

I get it, but I'm still not going to implement a non-standard mechanism.

lminiero added a commit that referenced this issue Feb 8, 2023
@lminiero
Optionally support X-Forwarded-For in both HTTP and WebSocket transpo…
0536cf6 
…rts (fixes #3158)
@lminiero lminiero mentioned this issue Feb 8, 2023
Merged
@lminiero
Copy link
Member

lminiero commented Feb 8, 2023

Please see the PR above and test, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
multistream Related to Janus 1.x pr-exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lminiero @michelepra