fix #561, take 2

irc/client.go

 }
 
 // RunClient sets up a new client and runs its goroutine.
-func (server *Server) RunClient(conn clientConn) {
+func (server *Server) RunClient(conn clientConn, proxyLine string) {
 	var isBanned bool
 	var banMsg string
 	var realIP net.IP
 	client.proxiedIP = session.proxiedIP
 
 	server.stats.Add()
-	client.run(session)
+	client.run(session, proxyLine)
 }
 
 func (client *Client) doIdentLookup(conn net.Conn) {
 	return languageManager.Translate(client.Languages(), originalString)
 }
 
-//
-// command goroutine
-//
-
-func (client *Client) run(session *Session) {
+// main client goroutine: read lines and execute the corresponding commands
+// `proxyLine` is the PROXY-before-TLS line, if there was one
+func (client *Client) run(session *Session, proxyLine string) {
 
 	defer func() {
 		if r := recover(); r != nil {
 	for {
 		maxlenRest := session.MaxlenRest()
 
-		line, err := session.socket.Read()
+		var line string
+		var err error
+		if proxyLine == "" {
+			line, err = session.socket.Read()
+		} else {
+			line = proxyLine // pretend we're just now receiving the proxy-before-TLS line
+			proxyLine = ""
+		}
 		if err != nil {
 			quitMessage := "connection closed"
 			if err == errReadQ {
 			break
 		} else if session.client != client {
 			// bouncer reattach
-			go session.client.run(session)
+			go session.client.run(session, "")
 			break
 		}
 	}

irc/config.go

 
 // TLSListenConfig defines configuration options for listening on TLS.
 type TLSListenConfig struct {
-	Cert string
-	Key  string
+	Cert  string
+	Key   string
+	Proxy bool
 }
 
 // This is the YAML-deserializable type of the value of the `Server.Listeners` map
 // listenerConfig is the config governing a particular listener (bound address),
 // in particular whether it has TLS or Tor (or both) enabled.
 type listenerConfig struct {
-	TLSConfig *tls.Config
-	IsTor     bool
-	IsSTSOnly bool
+	TLSConfig  *tls.Config
+	IsTor      bool
+	IsSTSOnly  bool
+	IsTLSProxy bool
 }
 
 type AccountConfig struct {
 					return err
 				}
 				lconf.TLSConfig = tlsConfig
+				lconf.IsTLSProxy = block.TLS.Proxy
 			}
 			listeners[addr] = lconf
 		}
 		return nil, err
 	}
 
+	err = config.prepareListeners()
+	if err != nil {
+		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
+	}
+
 	return config, nil
 }

irc/gateways.go

 	"fmt"
 	"net"
 	"strings"
+	"time"
 
 	"github.com/oragono/oragono/irc/modes"
 	"github.com/oragono/oragono/irc/utils"
 	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")
 )
 
+const (
+	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+	// "a 108-byte buffer is always enough to store all the line and a trailing zero
+	// for string processing."
+	maxProxyLineLen = 107
+)
+
 type webircConfig struct {
 	PasswordString string `yaml:"password"`
 	Password       []byte `yaml:"password-bytes"`
 
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
-	session.proxiedIP = parsedProxiedIP
 	client.proxiedIP = parsedProxiedIP
-	session.rawHostname = rawHostname
 	client.rawHostname = rawHostname
+	session.proxiedIP = parsedProxiedIP
+	session.rawHostname = rawHostname
 	client.cloakedHostname = cloakedHostname
 	// nickmask will be updated when the client completes registration
 	// set tls info
 		return errBadGatewayAddress
 	}
 }
+
+// read a PROXY line one byte at a time, to ensure we don't read anything beyond
+// that into a buffer, which would break the TLS handshake
+func readRawProxyLine(conn net.Conn) (result string) {
+	// normally this is covered by ping timeouts, but we're doing this outside
+	// of the normal client goroutine:
+	conn.SetDeadline(time.Now().Add(time.Minute))
+	defer conn.SetDeadline(time.Time{})
+
+	var buf [maxProxyLineLen]byte
+	oneByte := make([]byte, 1)
+	i := 0
+	for i < maxProxyLineLen {
+		n, err := conn.Read(oneByte)
+		if err != nil {
+			return
+		} else if n == 1 {
+			buf[i] = oneByte[0]
+			if buf[i] == '\n' {
+				candidate := string(buf[0 : i+1])
+				if strings.HasPrefix(candidate, "PROXY") {
+					return candidate
+				} else {
+					return
+				}
+			}
+			i += 1
+		}
+	}
+
+	// no \r\n, fail out
+	return
+}

irc/server.go

 				listener.Close()
 				return
 			} else if err == nil {
+				var proxyLine string
+				if conf.IsTLSProxy {
+					proxyLine = readRawProxyLine(conn)
+					if proxyLine == "" {
+						server.logger.Error("internal", "bad TLS-proxy line from", addr)
+						conn.Close()
+						continue
+					}
+				}
 				if conf.TLSConfig != nil {
 					conn = tls.Server(conn, conf.TLSConfig)
 				}
 					Config: conf,
 				}
 				// hand off the connection
-				go server.RunClient(newConn)
+				go server.RunClient(newConn, proxyLine)
 			} else {
 				server.logger.Error("internal", "accept error", addr, err.Error())
 			}
 func (server *Server) setupListeners(config *Config) (err error) {
 	logListener := func(addr string, config listenerConfig) {
 		server.logger.Info("listeners",
-			fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTor),
+			fmt.Sprintf("now listening on %s, tls=%t, tlsproxy=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTLSProxy, config.IsTor),
 		)
 	}
 

oragono.yaml

             tls:
                 key: tls.key
                 cert: tls.crt
+                # 'proxy' should typically be false. It's only for Kubernetes-style load
+                # balancing that does not terminate TLS, but sends an initial PROXY line
+                # in plaintext.
+                proxy: false
 
         # Example of a Unix domain socket for proxying:
         # "/tmp/oragono_sock":