feat(proxyproto): add proxy protocol support (#7738)

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
2026-02-13 02:43:10 -05:00 · 2026-02-11 02:14:05 +01:00
parent a100d0cca4
commit e9c0db32dc
15 changed files with 389 additions and 3 deletions
--- a/plugin/proxyproto/setup.go
+++ b/plugin/proxyproto/setup.go
@@ -0,0 +1,81 @@
+package proxyproto
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/coredns/caddy"
+	"github.com/coredns/coredns/core/dnsserver"
+	"github.com/coredns/coredns/plugin"
+
+	"github.com/pires/go-proxyproto"
+)
+
+func init() { plugin.Register("proxyproto", setup) }
+
+func setup(c *caddy.Controller) error {
+	config := dnsserver.GetConfig(c)
+	if config.ProxyProtoConnPolicy != nil {
+		return plugin.Error("proxyproto", errors.New("proxy protocol already configured for this server instance"))
+	}
+	var (
+		allowedIPNets []*net.IPNet
+		policy        = proxyproto.IGNORE
+	)
+	for c.Next() {
+		args := c.RemainingArgs()
+		if len(args) != 0 {
+			return plugin.Error("proxyproto", c.ArgErr())
+		}
+		for c.NextBlock() {
+			switch c.Val() {
+			case "allow":
+				for _, v := range c.RemainingArgs() {
+					_, ipnet, err := net.ParseCIDR(v)
+					if err != nil {
+						return plugin.Error("proxyproto", fmt.Errorf("%s: %w", v, err))
+					}
+					allowedIPNets = append(allowedIPNets, ipnet)
+				}
+			case "default":
+				v := c.RemainingArgs()
+				if len(v) != 1 {
+					return plugin.Error("proxyproto", c.ArgErr())
+				}
+				switch strings.ToLower(v[0]) {
+				case "use":
+					policy = proxyproto.USE
+				case "ignore":
+					policy = proxyproto.IGNORE
+				case "reject":
+					policy = proxyproto.REJECT
+				case "skip":
+					policy = proxyproto.SKIP
+				default:
+					return plugin.Error("proxyproto", c.ArgErr())
+				}
+			default:
+				return c.Errf("unknown option '%s'", c.Val())
+			}
+		}
+	}
+	config.ProxyProtoConnPolicy = func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
+		if len(allowedIPNets) == 0 {
+			return proxyproto.USE, nil
+		}
+		h, _, _ := net.SplitHostPort(connPolicyOptions.Upstream.String())
+		ip := net.ParseIP(h)
+		if ip == nil {
+			return proxyproto.REJECT, nil
+		}
+		for _, ipnet := range allowedIPNets {
+			if ipnet.Contains(ip) {
+				return proxyproto.USE, nil
+			}
+		}
+		return policy, nil
+	}
+	return nil
+}