From: Willy Tarreau <w@1wt.eu>
Date: Mon, 3 Mar 2025 02:58:46 +0000 (+0100)
Subject: BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer
X-Git-Tag: v3.0.9~25
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=ae7a9fa3a3b028c1e3ec99dea9d83b8ca5f4e91f;p=haproxy-3.0.git

BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer

As reported in issue #2882, using "no-send-proxy-v2" on a server line does
not properly disable the use of proxy-protocol if it was enabled in a
default-server directive in combination with other PP options. The reason
for this is that the sending of a proxy header is determined by a test on
srv->pp_opts without any distinction, so disabling PPv2 while leaving other
options results in a PPv1 header to be sent.

Let's fix this by explicitly testing for the presence of either send-proxy
or send-proxy-v2 when deciding to send a proxy header.

This can be backported to all versions. Thanks to Andre Sencioles (@asenci)
for reporting the issue and testing the fix.

(cherry picked from commit 730641f7cad32bfff97875716efe4bd784bb006b)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 7b2212f5547ba4268a0de7657ec0b9ca18d40445)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
---

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index a670349..b54fc53 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -163,6 +163,7 @@ enum srv_initaddr {
 /* configured server options for send-proxy (server->pp_opts) */
 #define SRV_PP_V1               0x0001   /* proxy protocol version 1 */
 #define SRV_PP_V2               0x0002   /* proxy protocol version 2 */
+#define SRV_PP_ENABLED          0x0003   /* proxy protocol version 1 or version 2 */
 #define SRV_PP_V2_SSL           0x0004   /* proxy protocol version 2 with SSL */
 #define SRV_PP_V2_SSL_CN        0x0008   /* proxy protocol version 2 with CN */
 #define SRV_PP_V2_SSL_KEY_ALG   0x0010   /* proxy protocol version 2 with cert key algorithm */
diff --git a/src/backend.c b/src/backend.c
index 4fb4cc1..78cc348 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1440,7 +1440,7 @@ int connect_server(struct stream *s)
 	hash_params.src_addr = bind_addr;
 
 	/* 5. proxy protocol */
-	if (srv && srv->pp_opts) {
+	if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
 		proxy_line_ret = make_proxy_line(trash.area, trash.size, srv, cli_conn, s, strm_sess(s));
 		if (proxy_line_ret) {
 			hash_params.proxy_prehash =
@@ -1732,7 +1732,7 @@ skip_reuse:
 		/* process the case where the server requires the PROXY protocol to be sent */
 		srv_conn->send_proxy_ofs = 0;
 
-		if (srv && srv->pp_opts) {
+		if (srv && (srv->pp_opts & SRV_PP_ENABLED)) {
 			srv_conn->flags |= CO_FL_SEND_PROXY;
 			srv_conn->send_proxy_ofs = 1; /* must compute size */
 		}
diff --git a/src/proto_rhttp.c b/src/proto_rhttp.c
index 0bf5bdc..76a3b13 100644
--- a/src/proto_rhttp.c
+++ b/src/proto_rhttp.c
@@ -83,7 +83,7 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr
 	set_host_port(conn->dst, srv->svc_port);
 
 	conn->send_proxy_ofs = 0;
-	if (srv->pp_opts) {
+	if (srv->pp_opts & SRV_PP_ENABLED) {
 		conn->flags |= CO_FL_SEND_PROXY;
 		conn->send_proxy_ofs = 1; /* must compute size */
 	}