feat(proxyproto): add proxy protocol support (#7738)

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>

core/dnsserver/config.go

@@ -10,6 +10,8 @@ import (
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/plugin"
 	"github.com/coredns/coredns/request"
+
+	"github.com/pires/go-proxyproto"
 )
 
 // Config configuration for a single server.
@@ -66,6 +68,11 @@ type Config struct {
 	// This is nil if not specified, allowing for a default to be used.
 	MaxQUICWorkerPoolSize *int
 
+	// ProxyProtoConnPolicy is the function that will be used to
+	// configure the PROXY protocol settings on listeners.
+	// If nil, PROXY protocol is disabled.
+	ProxyProtoConnPolicy proxyproto.ConnPolicyFunc
+
 	// MaxGRPCStreams defines the maximum number of concurrent streams per gRPC connection.
 	// This is nil if not specified, allowing for a default to be used.
 	MaxGRPCStreams *int

core/dnsserver/server.go

@@ -16,6 +16,7 @@ import (
 	"github.com/coredns/coredns/plugin/metrics/vars"
 	"github.com/coredns/coredns/plugin/pkg/edns"
 	"github.com/coredns/coredns/plugin/pkg/log"
+	cproxyproto "github.com/coredns/coredns/plugin/pkg/proxyproto"
 	"github.com/coredns/coredns/plugin/pkg/rcode"
 	"github.com/coredns/coredns/plugin/pkg/reuseport"
 	"github.com/coredns/coredns/plugin/pkg/trace"
@@ -24,6 +25,7 @@ import (
 
 	"github.com/miekg/dns"
 	ot "github.com/opentracing/opentracing-go"
+	"github.com/pires/go-proxyproto"
 )
 
 // Server represents an instance of a server, which serves
@@ -37,6 +39,8 @@ type Server struct {
 	ReadTimeout  time.Duration // Read timeout for TCP
 	WriteTimeout time.Duration // Write timeout for TCP
 
+	connPolicy proxyproto.ConnPolicyFunc // Proxy Protocol connection policy function
+
 	server [2]*dns.Server // 0 is a net.Listener, 1 is a net.PacketConn (a *UDPConn) in our case.
 	m      sync.Mutex     // protects the servers
 
@@ -123,6 +127,9 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 			}
 		}
 		site.pluginChain = stack
+		if site.ProxyProtoConnPolicy != nil {
+			s.connPolicy = site.ProxyProtoConnPolicy
+		}
 	}
 
 	if !s.debug {
@@ -181,6 +188,9 @@ func (s *Server) Listen() (net.Listener, error) {
 	if err != nil {
 		return nil, err
 	}
+	if s.connPolicy != nil {
+		l = &proxyproto.Listener{Listener: l, ConnPolicy: s.connPolicy}
+	}
 	return l, nil
 }
 
@@ -195,7 +205,9 @@ func (s *Server) ListenPacket() (net.PacketConn, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	if s.connPolicy != nil {
+		p = &cproxyproto.PacketConn{PacketConn: p, ConnPolicy: s.connPolicy}
+	}
 	return p, nil
 }
 

core/dnsserver/server_grpc.go

@@ -15,6 +15,7 @@ import (
 	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
 	"github.com/miekg/dns"
 	"github.com/opentracing/opentracing-go"
+	"github.com/pires/go-proxyproto"
 	"golang.org/x/net/netutil"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/peer"
@@ -136,6 +137,9 @@ func (s *ServergRPC) Listen() (net.Listener, error) {
 	if err != nil {
 		return nil, err
 	}
+	if s.connPolicy != nil {
+		l = &proxyproto.Listener{Listener: l, ConnPolicy: s.connPolicy}
+	}
 	return l, nil
 }
 

core/dnsserver/server_https.go

@@ -19,6 +19,7 @@ import (
 	"github.com/coredns/coredns/plugin/pkg/reuseport"
 	"github.com/coredns/coredns/plugin/pkg/transport"
 
+	"github.com/pires/go-proxyproto"
 	"golang.org/x/net/netutil"
 )
 
@@ -136,6 +137,9 @@ func (s *ServerHTTPS) Listen() (net.Listener, error) {
 	if err != nil {
 		return nil, err
 	}
+	if s.connPolicy != nil {
+		l = &proxyproto.Listener{Listener: l, ConnPolicy: s.connPolicy}
+	}
 	return l, nil
 }
 

core/dnsserver/server_https3.go

@@ -13,6 +13,7 @@ import (
 	"github.com/coredns/coredns/plugin/metrics/vars"
 	"github.com/coredns/coredns/plugin/pkg/dnsutil"
 	"github.com/coredns/coredns/plugin/pkg/doh"
+	cproxyproto "github.com/coredns/coredns/plugin/pkg/proxyproto"
 	"github.com/coredns/coredns/plugin/pkg/response"
 	"github.com/coredns/coredns/plugin/pkg/reuseport"
 	"github.com/coredns/coredns/plugin/pkg/transport"
@@ -89,7 +90,7 @@ func NewServerHTTPS3(addr string, group []*Config) (*ServerHTTPS3, error) {
 		TLSConfig:       tlsConfig,
 		EnableDatagrams: true,
 		QUICConfig:      qconf,
-		//Logger: stdlog.New(&loggerAdapter{}, "", 0), TODO: Fix it
+		// Logger: stdlog.New(&loggerAdapter{}, "", 0), TODO: Fix it
 	}
 
 	sh := &ServerHTTPS3{
@@ -110,7 +111,14 @@ var _ caddy.GracefulServer = &ServerHTTPS3{}
 
 // ListenPacket opens the UDP socket for QUIC.
 func (s *ServerHTTPS3) ListenPacket() (net.PacketConn, error) {
-	return reuseport.ListenPacket("udp", s.Addr[len(transport.HTTPS3+"://"):])
+	p, err := reuseport.ListenPacket("udp", s.Addr[len(transport.HTTPS3+"://"):])
+	if err != nil {
+		return nil, err
+	}
+	if s.connPolicy != nil {
+		p = &cproxyproto.PacketConn{PacketConn: p, ConnPolicy: s.connPolicy}
+	}
+	return p, nil
 }
 
 // ServePacket starts serving QUIC+HTTP/3 on an existing UDP socket.

core/dnsserver/server_quic.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/coredns/coredns/plugin/metrics/vars"
 	clog "github.com/coredns/coredns/plugin/pkg/log"
+	cproxyproto "github.com/coredns/coredns/plugin/pkg/proxyproto"
 	"github.com/coredns/coredns/plugin/pkg/reuseport"
 	"github.com/coredns/coredns/plugin/pkg/transport"
 
@@ -241,6 +242,10 @@ func (s *ServerQUIC) ListenPacket() (net.PacketConn, error) {
 		return nil, err
 	}
 
+	if s.connPolicy != nil {
+		p = &cproxyproto.PacketConn{PacketConn: p, ConnPolicy: s.connPolicy}
+	}
+
 	s.m.Lock()
 	defer s.m.Unlock()
 

core/dnsserver/server_tls.go

@@ -12,6 +12,7 @@ import (
 	"github.com/coredns/coredns/plugin/pkg/transport"
 
 	"github.com/miekg/dns"
+	"github.com/pires/go-proxyproto"
 )
 
 // ServerTLS represents an instance of a TLS-over-DNS-server.
@@ -79,6 +80,9 @@ func (s *ServerTLS) Listen() (net.Listener, error) {
 	if err != nil {
 		return nil, err
 	}
+	if s.connPolicy != nil {
+		l = &proxyproto.Listener{Listener: l, ConnPolicy: s.connPolicy}
+	}
 	return l, nil
 }
 

core/dnsserver/zdirectives.go

@@ -15,6 +15,7 @@ var Directives = []string{
 	"geoip",
 	"cancel",
 	"tls",
+	"proxyproto",
 	"quic",
 	"grpc_server",
 	"https",