Go Proxyproto Versions Save

What's Changed

• Bump DefaultReadHeaderTimeout to 10s by @emersion in https://github.com/pires/go-proxyproto/pull/84
• Add method to get SSL cipher from the SSL TLV by @dgl in https://github.com/pires/go-proxyproto/pull/91
• add support for parsing IPv4-mapped IPv6 addresses by @drakkan in https://github.com/pires/go-proxyproto/pull/97
• Add SKIP policy to not expect a PROXY header by @kayrus in https://github.com/pires/go-proxyproto/pull/96
• Revisit CI by @pires in https://github.com/pires/go-proxyproto/pull/99

New Contributors

• @dgl made their first contribution in https://github.com/pires/go-proxyproto/pull/91
• @kayrus made their first contribution in https://github.com/pires/go-proxyproto/pull/96

Full Changelog: https://github.com/pires/go-proxyproto/compare/v0.6.2...v0.7.0

• Fix race-condition in SetDeadline (#87) thanks to @mschneider82 for the fix

Bugfixes

• Critical: Reset read deadline after parsing header (#76) thanks a ton to @antoniomika and a bunch of other folks who contributed to finding the solution

Improvements

• Introduce TLV parsing for Google Cloud extensions (#81) thanks to @igor-kupczynski

Bugfixes

None

Improvements

• Prevent potentially malicious client(s) from opening connections and not send the proxy protocol header, which could lead to DoS as the server would hold those socket descriptors open indefinitely, eventually running out of resources. The solution is to set a read deadline when waiting for the PROXY protocol header (#74) thanks a lot to @unmarshal

Bugfixes

The two bugs addressed below are considered serious security issues that can lead to DoS. I cannot express how thankful I am for @isedev for sharing the problem and the solution <3

• v1: enforce header maximum size of 107 bytes to avoid unbounded memory consumption (#71)
• v1: sender must always ensure that the header is sent at once to avoid slow loris attack (#71)

Improvements

• Add PP2_TYPE_UNIQUE_ID (#67) thanks to @TimWolla
• Add ReadFrom/WriteTo to increase performance when proxying wrapped connections using io.Copy (#68) thanks to @databus23

Bugfixes

• v1: fix command always LOCAL (#64) thanks to @bohanyang

Documentation

• Fix LICENSE (#66)

Bugfixes

• v2: respect length and any TLVs when UNSPEC (#62) thanks to @bohanyang

Announcement

First, the master branch has been renamed to main. Assuming your local copy has this repo as remote origin, execute the following commands:

git branch -m master main
git fetch origin

Optionally, if you're tracking this instead of a fork:

git branch -u origin/main main

Breaking changes

• Replaced v1 throwing ErrCantReadProtocolVersionAndCommand with:
  • ErrLineMustEndWithCrlf when the issue is the line doesn't end with \r\n, which is required as per spec, and
  • ErrCantReadAddressFamilyAndProtocol when inet family and transport protocol are not TCP4, TCP6 or UNKNOWN, as per spec. Also, if not UNKNOWN, addresses information is required.

Improvements

• Support parsing v1 PROXY UNKNOWN (#61) This has been quietly introduced in the spec while we were not watching.
• Support v2 inet family and transport protocol UNSPEC but only when command is LOCAL (#61) For more information, read #60. Thank you to @bohanyang for the detailed description.

Bug-fixes

• Fixed incorrect truncated tlv error that prevents reading empty (0 byte) TLVs (#57) thanks to @astromechza

Improvements

• Introducing a raw connection getter (#55) thanks to @guysv

Special thanks to @emersion for the invaluable help reviewing the changes above.

Improvements

• Access the full PROXY header (#52)
• Don't error when doing TLS but clients do not present a TLS certificate (#53)

Once again, thank you very much to @emersion for their contributions! 🎉