mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
Browse Source

documentation updates for proxy v2

tags/v2.5.0-rc1
Shivaram Lingamneni 3 years ago
parent
f30bd2cff0
commit
c57828eb62
4 changed files with 20 additions and 11 deletions
Unified View Show Diff Stats
  1. 2
    3
      default.yaml
  2. 16
    3
      docs/MANUAL.md
  3. 0
    2
      irc/utils/proxy.go
  4. 2
    3
      traditional.yaml

+ 2
- 3
default.yaml View File

53 
                 cert: fullchain.pem
 53 
                 cert: fullchain.pem
54 
                 key: privkey.pem
 54 
                 key: privkey.pem
55 
             # 'proxy' should typically be false. It's for cloud load balancers that
 55 
             # 'proxy' should typically be false. It's for cloud load balancers that
56 
-            # always send PROXY headers ahead of the connection (e.g., a v1 header
57 
-            # ahead of unterminated TLS, or a v2 binary header) that MUST be present
58 
-            # and cannot be processed on an optional basis.
56 
+            # always send a PROXY protocol header ahead of the connection. See the
57 
+            # manual ("Reverse proxies") for more details.
59 
             proxy: false
 58 
             proxy: false
60
59
61 
         # Example of a Unix domain socket for proxying:
 60 
         # Example of a Unix domain socket for proxying:

+ 16
- 3
docs/MANUAL.md View File

497
497
498 
 ## Reverse proxies
 498 
 ## Reverse proxies
499
499
500 
-You may want to configure a reverse proxy, such as nginx, for TLS termination --- for example, because you need to support versions of the TLS protocol that are not implemented natively by Go, or because you want to consolidate your certificate management into a single nginx instance. Oragono supports the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) for preserving the end user's IP in this case. To configure a reverse proxy, use the following steps:
500 
+Oragono supports the use of reverse proxies (such as nginx, or a Kubernetes [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)) that sit between it and the client. In these deployments, the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) is used to pass the end user's IP through to Oragono. These proxies can be used to terminate TLS externally to Oragono, e.g., if you need to support versions of the TLS protocol that are not implemented natively by Go, or if you want to consolidate your certificate management into a single nginx instance.
501 
+
502 
+The first step is to add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.)
503 
+
504 
+After that, there are two possibilities:
505 
+
506 
+* If you're using a proxy like nginx or stunnel that terminates TLS, then forwards a PROXY v1 (ASCII) header ahead of a plaintext connection, no further Oragono configuration is required. You need only configure your proxy to send the PROXY header. Here's an [example nginx config](https://github.com/oragono/testnet.oragono.io/blob/master/nginx_stream.conf).
507 
+* If you're using a cloud load balancer that either sends a PROXY v1 header ahead of unterminated TLS (like [DigitalOcean](https://www.digitalocean.com/docs/networking/load-balancers/#proxy-protocol)) or sends a PROXY v2 (binary) header (like the [AWS "Network Load Balancer"](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol)), Oragono must be configured to expect a PROXY header ahead of the connection. Add `proxy: true` to the listener config block, e.g.,
508 
+
509 
+```yaml
510 
+        ":6697":
511 
+            tls:
512 
+                cert: fullchain.pem
513 
+                key: privkey.pem
514 
+            proxy: true
515 
+```
501
516
502 
-1. Add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.)
503 
-1. Configure your reverse proxy to connect to an appropriate Oragono listener and send the PROXY line. In this [example nginx config](https://github.com/darwin-network/slash/commit/aae9ba08d70128eb4b700cade333fe824a53562d), nginx connects to Oragono via a Unix domain socket.
504
517
505 
 ## Client certificates
 518 
 ## Client certificates
506
519

+ 0
- 2
irc/utils/proxy.go View File

14 
 	"time"
 14 
 	"time"
15 
 )
 15 
 )
16
16
17 
-// TODO: handle PROXY protocol v2 (the binary protocol)
18 
-
19 
 const (
 17 
 const (
20 
 	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
 18 
 	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
21 
 	// "a 108-byte buffer is always enough to store all the line and a trailing zero
 19 
 	// "a 108-byte buffer is always enough to store all the line and a trailing zero

+ 2
- 3
traditional.yaml View File

27 
                 cert: fullchain.pem
 27 
                 cert: fullchain.pem
28 
                 key: privkey.pem
 28 
                 key: privkey.pem
29 
             # 'proxy' should typically be false. It's for cloud load balancers that
 29 
             # 'proxy' should typically be false. It's for cloud load balancers that
30 
-            # always send PROXY headers ahead of the connection (e.g., a v1 header
31 
-            # ahead of unterminated TLS, or a v2 binary header) that MUST be present
32 
-            # and cannot be processed on an optional basis.
30 
+            # always send a PROXY protocol header ahead of the connection. See the
31 
+            # manual ("Reverse proxies") for more details.
33 
             proxy: false
 32 
             proxy: false
34
33
35 
         # Example of a Unix domain socket for proxying:
 34 
         # Example of a Unix domain socket for proxying:

Write Preview
Loading…
Cancel
Save