feat: Add support for using the original destination port for SNI proxy connections on Linux.#1029
Conversation
|
|
lib/g3-socket/src/raw/mod.rs
Outdated
| } | ||
|
|
||
| #[cfg(target_os = "linux")] | ||
| pub fn original_dst(&self) -> io::Result<SocketAddr> { |
There was a problem hiding this comment.
This won't be needed as you have already enabled the transparent socket option.
I would prefer to add a listen_transparent config option (which is linux specific) to sni_proxy server, and it will only enable the transparent socket option leaving other code unchanged.
|
|
||
| #[inline] | ||
| pub(crate) fn server_port(&self) -> u16 { | ||
| self.cc_info.server_addr().port() |
There was a problem hiding this comment.
This is the same method as used in tcp_tproxy server, so no need to change this.
|
One another way is to add a |
zh-jq
left a comment
zh-jq
left a comment
There was a problem hiding this comment.
Please squash all changes into one so I can rebase and merge this PR.
| pub(crate) client_tcp_portmap: ProtocolPortMap, | ||
| pub(crate) extra_metrics_tags: Option<Arc<MetricTagMap>>, | ||
| pub(crate) allowed_sites: Option<HostMatch<Arc<SniHostConfig>>>, | ||
| pub(crate) listen_transparent: bool, |
There was a problem hiding this comment.
| pub(crate) listen_transparent: bool, | |
| #[cfg(target_os = "linux")] | |
| listen_transparent: bool, |
|
|
||
| #[cfg(not(any(target_os = "linux", target_os = "android")))] | ||
| pub fn tcp_sock_incoming_cpu(&self) -> Option<usize> { | ||
| None | ||
| } | ||
|
|
lib/g3-socket/src/raw/mod.rs
Outdated
| } | ||
| Ok(()) | ||
| } | ||
|
|
|
|
||
|
|
| client_tcp_portmap: ProtocolPortMap::tcp_client(), | ||
| extra_metrics_tags: None, | ||
| allowed_sites: None, | ||
| listen_transparent: false, |
There was a problem hiding this comment.
this also need the cfg guard
| self.allowed_sites = Some(allowed_sites); | ||
| Ok(()) | ||
| } | ||
| "listen_transparent" => { |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #1029 +/- ##
==========================================
+ Coverage 67.66% 67.68% +0.02%
==========================================
Files 1432 1432
Lines 136748 136756 +8
==========================================
+ Hits 92527 92563 +36
+ Misses 44221 44193 -28
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@SinghNanak clippy failed, please fix it as suggested. |
|
@zh-jq Could you please re-review? |
3 participants
I wanted to enforce SNI filtering transparently, I tried tcp_tproxy but it doesn't do that. It can be done with sni_proxy but it doesn't use the original port when connecting from Proxy --> Server. I have implemented "use_original_port", if its true cap_net_bind_service is required. I have tried to make sure it won't break any existing configs.
Usage
As sni_proxy supports both http and tls, I have redirected port 80 and 443 to a single listening port and when the proxy connects to upstream it uses the original ports like 80 for http and 443 for https.
If this functionality could be achieved previously kindly let me know.
I used following config previously.