MINOR: proxy/http_ext: introduce proxy forwarded option

Introducing http_ext class for http extension related work that
doesn't fit into existing http classes.

HTTP extension "forwarded", introduced with 7239 RFC is now supported
by haproxy.

The option supports various modes from simple to complex usages involving
custom sample expressions.

  Examples :

    # Those servers want the ip address and protocol of the client request
    # Resulting header would look like this:
    #   forwarded: proto=http;for=127.0.0.1
    backend www_default
        mode http
        option forwarded
        #equivalent to: option forwarded proto for

    # Those servers want the requested host and hashed client ip address
    # as well as client source port (you should use seed for xxh32 if ensuring
    # ip privacy is a concern)
    # Resulting header would look like this:
    #   forwarded: host="haproxy.org";for="_000000007F2F367E:60138"
    backend www_host
        mode http
        option forwarded host for-expr src,xxh32,hex for_port

    # Those servers want custom data in host, for and by parameters
    # Resulting header would look like this:
    #   forwarded: host="host.com";by=_haproxy;for="[::1]:10"
    backend www_custom
        mode http
        option forwarded host-expr str(host.com) by-expr str(_haproxy) for for_port-expr int(10)

    # Those servers want random 'for' obfuscated identifiers for request
    # tracing purposes while protecting sensitive IP information
    # Resulting header would look like this:
    #   forwarded: for=_000000002B1F4D63
    backend www_for_hide
        mode http
        option forwarded for-expr rand,hex

By default (no argument provided), forwarded option will try to mimic
x-forward-for common setups (source client ip address + source protocol)

The option is not available for frontends.
no option forwarded is supported.

More info about 7239 RFC here: https://www.rfc-editor.org/rfc/rfc7239.html

More info about the feature in doc/configuration.txt

This should address feature request GH #575

Depends on:
  - "MINOR: http_htx: add http_append_header() to append value to header"
  - "MINOR: sample: add ARGC_OPT"
  - "MINOR: proxy: introduce http only options"

Makefile

@@ -913,7 +913,7 @@ OBJS += src/mux_h2.o src/mux_fcgi.o src/mux_h1.o src/tcpcheck.o               \
         src/tcp_rules.o src/sink.o src/h1_htx.o src/task.o src/mjson.o        \
         src/h2.o src/filters.o src/server_state.o src/payload.o               \
         src/fcgi-app.o src/map.o src/htx.o src/h1.o src/pool.o                \
-        src/cfgparse-global.o src/trace.o src/tcp_sample.o                    \
+        src/cfgparse-global.o src/trace.o src/tcp_sample.o src/http_ext.o     \
         src/flt_http_comp.o src/mux_pt.o src/flt_trace.o src/mqtt.o           \
         src/acl.o src/sock.o src/mworker.o src/tcp_act.o src/ring.o           \
         src/session.o src/proto_tcp.o src/fd.o src/channel.o src/activity.o   \

doc/configuration.txt

@@ -4202,6 +4202,7 @@ option dontlog-normal                (*)  X          X         X         -
 option dontlognull                   (*)  X          X         X         -
 -- keyword -------------------------- defaults - frontend - listen -- backend -
 option forwardfor                         X          X         X         X
+option forwarded                     (*)  X          -         X         X
 option h1-case-adjust-bogus-client   (*)  X          X         X         -
 option h1-case-adjust-bogus-server   (*)  X          -         X         X
 option http-buffer-request           (*)  X          X         X         X
@@ -9059,6 +9060,140 @@ no option dontlognull
   See also : "log", "http-ignore-probes", "monitor-uri", and
              section 8 about logging.
 
+option forwarded [ proto ]
+                 [ host | host-expr <host_expr> ]
+                 [ by | by-expr <by_expr> ] [ by_port | by_port-expr <by_port_expr>]
+                 [ for | for-expr <for_expr> ] [ for_port | for_port-expr <for_port_expr>]
+no option forwarded
+  Enable insertion of the rfc 7239 forwarded header in requests sent to servers
+  May be used in sections :   defaults | frontend | listen | backend
+                                 yes   |    no    |   yes  |   yes
+  Arguments :
+    <host_expr>     optional argument to specify a custom sample expression
+                    those result will be used as 'host' parameter value
+
+    <by_expr>       optional argument to specicy a custom sample expression
+                    those result will be used as 'by' parameter nodename value
+
+    <for_expr>      optional argument to specicy a custom sample expression
+                    those result will be used as 'for' parameter nodename value
+
+    <by_port_expr>  optional argument to specicy a custom sample expression
+                    those result will be used as 'by' parameter nodeport value
+
+    <for_port_expr> optional argument to specicy a custom sample expression
+                    those result will be used as 'for' parameter nodeport value
+
+
+  Since HAProxy works in reverse-proxy mode, servers are loosing some request
+  context (request origin: client ip address, protocol used...)
+
+  A common way to address this limitation is to use the well known
+  x-forward-for and x-forward-* friends to expose some of this context to the
+  underlying servers/applications.
+  While this use to work and is widely deployed, it is not officially supported
+  by the IETF and can be the root of some interoperability as well as security
+  issues.
+
+  To solve this, a new HTTP extension has been described by the IETF:
+  forwarded header (RFC7239).
+  More information here: https://www.rfc-editor.org/rfc/rfc7239.html
+
+  The use of this single header allow to convey multiple informations
+  within the same header, and most importantly, fixes the proxy chaining
+  issue. (the rfc allows for multiple chained proxies to append their own
+  values to an already existing header).
+
+  This option may be specified in defaults, listen or backend section, but it
+  will be ignored for frontend sections.
+
+  Setting option forwarded without arguments results in using default implicit
+  behavior.
+  Default behavior enables proto parameter and injects original client ip.
+
+  The equivalent explicit/manual configuration would be:
+	option forwarded proto for
+
+  The keyword 'by' is used to enable 'by' parameter ("nodename") in
+  forwarded header. It allows to embed request proxy information.
+  'by' value will be set to proxy ip (destination address)
+  If not available (ie: UNIX listener), 'by' will be set to
+  "unknown".
+
+  The keyword 'by-expr' is used to enable 'by' parameter ("nodename") in
+  forwarded header. It allows to embed request proxy information.
+  'by' value will be set to the result of the sample expression
+  <by_expr>, if valid, otherwise it will be set to "unknown".
+
+  The keyword 'for' is used to enable 'for' parameter ("nodename") in
+  forwarded header. It allows to embed request client information.
+  'for' value will be set to client ip (source address)
+  If not available (ie: UNIX listener), 'for' will be set to
+  "unknown".
+
+  The keyword 'for-expr' is used to enable 'for' parameter ("nodename") in
+  forwarded header. It allows to embed request client information.
+  'for' value will be set to the result of the sample expression
+  <for_expr>, if valid, otherwise it will be set to "unknown".
+
+  The keyword 'by_port' is used to provide "nodeport" info to
+  'by' parameter. 'by_port' requires 'by' or 'by-expr' to be set or
+  it will be ignored.
+  "nodeport" will be set to proxy (destination) port if available,
+  otherwise it will be ignored.
+
+  The keyword 'by_port-expr' is used to provide "nodeport" info to
+  'by' parameter. 'by_port-expr' requires 'by' or 'by-expr' to be set or
+  it will be ignored.
+  "nodeport" will be set to the result of the sample expression
+  <by_port_expr>, if valid, otherwise it will be ignored.
+
+  The keyword 'for_port' is used to provide "nodeport" info to
+  'for' parameter. 'for_port' requires 'for' or 'for-expr' to be set or
+  it will be ignored.
+  "nodeport" will be set to client (source) port if available,
+  otherwise it will be ignored.
+
+  The keyword 'for_port-expr' is used to provide "nodeport" info to
+  'for' parameter. 'for_port-expr' requires 'for' or 'for-expr' to be set or
+  it will be ignored.
+  "nodeport" will be set to the result of the sample expression
+  <for_port_expr>, if valid, otherwise it will be ignored.
+
+  Examples :
+    # Those servers want the ip address and protocol of the client request
+    # Resulting header would look like this:
+    #   forwarded: proto=http;for=127.0.0.1
+    backend www_default
+        mode http
+        option forwarded
+        #equivalent to: option forwarded proto for
+
+    # Those servers want the requested host and hashed client ip address
+    # as well as client source port (you should use seed for xxh32 if ensuring
+    # ip privacy is a concern)
+    # Resulting header would look like this:
+    #   forwarded: host="haproxy.org";for="_000000007F2F367E:60138"
+    backend www_host
+        mode http
+        option forwarded host for-expr src,xxh32,hex for_port
+
+    # Those servers want custom data in host, for and by parameters
+    # Resulting header would look like this:
+    #   forwarded: host="host.com";by=_haproxy;for="[::1]:10"
+    backend www_custom
+        mode http
+        option forwarded host-expr str(host.com) by-expr str(_haproxy) for for_port-expr int(10)
+
+    # Those servers want random 'for' obfuscated identifiers for request
+    # tracing purposes while protecting sensitive IP information
+    # Resulting header would look like this:
+    #   forwarded: for=_000000002B1F4D63
+    backend www_for_hide
+        mode http
+        option forwarded for-expr rand,hex
+
+  See also : "option forwardfor", "option originalto"
 
 option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
   Enable insertion of the X-Forwarded-For header to requests sent to servers

include/haproxy/http_ext-t.h

@@ -0,0 +1,113 @@
+/*
+ * include/haproxy/http_ext-t.h
+ * Version-agnostic and implementation-agnostic HTTP extensions definitions
+ *
+ * Copyright 2022 HAProxy Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef _HAPROXY_HTTPEXT_T_H
+#define _HAPROXY_HTTPEXT_T_H
+
+#include <arpa/inet.h>
+#include <import/ist.h>
+#include <haproxy/tools-t.h>
+
+enum forwarded_header_attribute_type {
+	FORWARDED_HEADER_UNK    = 0,
+	FORWARDED_HEADER_OBFS   = 1,
+	FORWARDED_HEADER_PORT   = 2,
+	FORWARDED_HEADER_IP     = 3,
+};
+
+struct forwarded_header_nodename {
+	union {
+		struct sockaddr_storage ip;
+		struct ist obfs;
+	};
+	enum forwarded_header_attribute_type type;
+};
+
+struct forwarded_header_nodeport {
+	union {
+		uint16_t port;
+		struct ist obfs;
+	};
+	enum forwarded_header_attribute_type type;
+};
+
+struct forwarded_header_node {
+	struct forwarded_header_nodename nodename;
+	struct forwarded_header_nodeport nodeport;
+	struct ist raw;
+};
+
+enum forwarded_header_proto {
+	FORWARDED_HEADER_HTTP   = 1,
+	FORWARDED_HEADER_HTTPS  = 2
+};
+
+struct forwarded_header_ctx {
+	struct forwarded_header_node nfor;
+	struct forwarded_header_node nby;
+	struct ist host;
+	enum forwarded_header_proto proto;
+};
+
+enum http_ext_7239_forby_mode {
+	HTTP_7239_FORBY_ORIG   = 1,
+	HTTP_7239_FORBY_SMP    = 2
+};
+struct http_ext_7239_forby {
+	/* nn = nodename, np = nodeport */
+	char                          *nn_expr_s;
+	struct sample_expr            *nn_expr;
+	char                          *np_expr_s;
+	struct sample_expr            *np_expr;
+	enum http_ext_7239_forby_mode nn_mode;
+	enum http_ext_7239_forby_mode np_mode;
+};
+
+enum http_ext_7239_host_mode {
+	HTTP_7239_HOST_ORIG = 1,
+	HTTP_7239_HOST_SMP  = 2
+};
+struct http_ext_7239_host {
+	char                         *expr_s;
+	struct sample_expr           *expr;
+	enum http_ext_7239_host_mode mode;
+};
+
+struct http_ext_7239 {
+	/* forwarded header parameters options */
+	struct http_ext_7239_forby p_for;
+	struct http_ext_7239_forby p_by;
+	struct http_ext_7239_host  p_host;
+	uint8_t                    p_proto;
+	/* config error hints, used only during configuration parsing */
+	char                       *c_file;
+	int                        c_line;
+};
+
+enum forwarded_header_field {
+	FORWARDED_HEADER_FOR    = 0x01,
+	FORWARDED_HEADER_BY     = 0x02,
+	FORWARDED_HEADER_HOST   = 0x04,
+	FORWARDED_HEADER_PROTO  = 0x08,
+	FORWARDED_HEADER_ALL	= FORWARDED_HEADER_FOR|FORWARDED_HEADER_BY|FORWARDED_HEADER_HOST|FORWARDED_HEADER_PROTO
+};
+
+#endif /* !_HAPROXY_HTTPEXT_T_H */

include/haproxy/http_ext.h

@@ -0,0 +1,41 @@
+/*
+ * include/haproxy/http_ext.h
+ * Functions for Version-agnostic and implementation-agnostic HTTP extensions
+ *
+ * Copyright 2022 HAProxy Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef _HAPROXY_HTTPEXT_H
+#define _HAPROXY_HTTPEXT_H
+
+#include <haproxy/http_ext-t.h>
+#include <haproxy/channel-t.h>
+#include <haproxy/proxy-t.h>
+#include <haproxy/stream-t.h>
+
+int http_validate_7239_header(struct ist hdr, int required_steps, struct forwarded_header_ctx *ctx);
+
+int http_handle_7239_header(struct stream *s, struct channel *req);
+
+void http_ext_7239_clean(struct http_ext_7239 *);
+
+void http_ext_7239_copy(struct http_ext_7239 *dest, const struct http_ext_7239 *orig);
+
+int proxy_http_parse_7239(char **args, int cur_arg, struct proxy *curproxy, const struct proxy *defpx, const char *file, int linenum);
+int proxy_http_compile_7239(struct proxy *curproxy);
+
+#endif /* !_HAPROXY_HTTPEXT_H */

include/haproxy/proxy-t.h

@@ -43,6 +43,7 @@
 #include <haproxy/thread-t.h>
 #include <haproxy/tools-t.h>
 #include <haproxy/uri_auth-t.h>
+#include <haproxy/http_ext-t.h>
 
 /* values for proxy->mode */
 enum pr_mode {
@@ -100,7 +101,7 @@ enum PR_SRV_STATE_FILE {
 #define PR_O_TCP_CLI_KA 0x00040000      /* enable TCP keep-alive on client-side streams */
 #define PR_O_TCP_SRV_KA 0x00080000      /* enable TCP keep-alive on server-side streams */
 #define PR_O_USE_ALL_BK 0x00100000      /* load-balance between backup servers */
-/* unused: 0x00020000 */
+#define PR_O_HTTP_7239  0x00200000      /* insert 7239 forwarded header */
 #define PR_O_TCP_NOLING 0x00400000      /* disable lingering on client and server connections */
 #define PR_O_ABRT_CLOSE 0x00800000      /* immediately abort request when client closes */
 
@@ -268,6 +269,8 @@ struct error_snapshot {
 
 /* http options */
 struct proxy_http {
+	/* forwarded header (RFC 7239) */
+	struct http_ext_7239       fwd;
 };
 
 struct proxy {

src/cfgparse-listen.c

@@ -20,6 +20,7 @@
 #include <haproxy/extcheck.h>
 #include <haproxy/http_ana.h>
 #include <haproxy/http_htx.h>
+#include <haproxy/http_ext.h>
 #include <haproxy/http_rules.h>
 #include <haproxy/listener.h>
 #include <haproxy/log.h>
@@ -61,7 +62,7 @@ static const char *common_options[] = {
 	"redispatch", "httplog", "tcplog", "tcpka", "httpchk",
 	"ssl-hello-chk", "smtpchk", "pgsql-check", "redis-check",
 	"mysql-check", "ldap-check", "spop-check", "tcp-check",
-	"external-check", "forwardfor", "original-to",
+	"external-check", "forwardfor", "original-to", "forwarded",
 	NULL /* must be last */
 };
 
@@ -2031,6 +2032,16 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 			err_code |= ERR_ALERT | ERR_FATAL;
 			goto out;
 		}
+		else if (strcmp(args[1], "forwarded") == 0) {
+			if (kwm == KWM_STD) {
+				err_code |= proxy_http_parse_7239(args, 0, curproxy, curr_defproxy, file, linenum);
+				goto out;
+			}
+			else if (kwm == KWM_NO) {
+				curproxy->options &= ~PR_O_HTTP_7239;
+				goto out;
+			}
+		}
 
 		/* Redispatch can take an integer argument that control when the
 		 * resispatch occurs. All values are relative to the retries option.

src/cfgparse.c

@@ -59,6 +59,7 @@
 #include <haproxy/global.h>
 #include <haproxy/http_ana.h>
 #include <haproxy/http_rules.h>
+#include <haproxy/http_ext.h>
 #include <haproxy/lb_chash.h>
 #include <haproxy/lb_fas.h>
 #include <haproxy/lb_fwlc.h>
@@ -3669,6 +3670,9 @@ int check_config_validity()
 			else
 				curproxy->http_needed |= !!(curproxy->lbprm.expr->fetch->use & SMP_USE_HTTP_ANY);
 		}
+		/* option "forwarded" may need to compile its expressions */
+		if ((curproxy->mode == PR_MODE_HTTP) && curproxy->options & PR_O_HTTP_7239)
+			cfgerr += proxy_http_compile_7239(curproxy);
 
 		/* only now we can check if some args remain unresolved.
 		 * This must be done after the users and groups resolution.
@@ -3964,6 +3968,13 @@ int check_config_validity()
 				err_code |= ERR_WARN;
 			}
 
+			if (curproxy->options & PR_O_HTTP_7239) {
+				ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
+					   "forwarded", proxy_type_str(curproxy), curproxy->id);
+				err_code |= ERR_WARN;
+				curproxy->options &= ~PR_O_HTTP_7239;
+			}
+
 			if (curproxy->options & (PR_O_FWDFOR | PR_O_FF_ALWAYS)) {
 				ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
 					   "forwardfor", proxy_type_str(curproxy), curproxy->id);

src/http_ana.c

@@ -26,6 +26,7 @@
 #include <haproxy/http.h>
 #include <haproxy/http_ana.h>
 #include <haproxy/http_htx.h>
+#include <haproxy/http_ext.h>
 #include <haproxy/htx.h>
 #include <haproxy/log.h>
 #include <haproxy/net_helper.h>
@@ -661,6 +662,12 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
 				goto return_fail_rewrite;
 	}
 
+	/* add forwarded header (RFC 7239) (ignored for frontends) */
+	if (s->be->options & PR_O_HTTP_7239) {
+		if (unlikely(!http_handle_7239_header(s, req)))
+			goto return_fail_rewrite;
+	}
+
 	/*
 	 * 9: add X-Forwarded-For if either the frontend or the backend
 	 * asks for it.

src/proxy.c

@@ -31,6 +31,7 @@
 #include <haproxy/global.h>
 #include <haproxy/http_ana.h>
 #include <haproxy/http_htx.h>
+#include <haproxy/http_ext.h>
 #include <haproxy/listener.h>
 #include <haproxy/log.h>
 #include <haproxy/obj_type-t.h>
@@ -353,6 +354,7 @@ void free_proxy(struct proxy *p)
 	free(p->desc);
 	istfree(&p->fwdfor_hdr_name);
 	istfree(&p->orgto_hdr_name);
+	http_ext_7239_clean(&p->http.fwd);
 
 	task_destroy(p->task);
 
@@ -1467,6 +1469,8 @@ void proxy_free_defaults(struct proxy *defproxy)
 	istfree(&defproxy->orgto_hdr_name);
 	istfree(&defproxy->server_id_hdr_name);
 
+	http_ext_7239_clean(&defproxy->http.fwd);
+
 	list_for_each_entry_safe(acl, aclb, &defproxy->acl, list) {
 		LIST_DELETE(&acl->list);
 		prune_acl(acl);
@@ -1696,6 +1700,9 @@ static int proxy_defproxy_cpy(struct proxy *curproxy, const struct proxy *defpro
 		}
 
 		curproxy->ck_opts = defproxy->ck_opts;
+		if (defproxy->options & PR_O_HTTP_7239)
+			http_ext_7239_copy(&curproxy->http.fwd, &defproxy->http.fwd);
+
 		if (defproxy->cookie_name)
 			curproxy->cookie_name = strdup(defproxy->cookie_name);
 		curproxy->cookie_len = defproxy->cookie_len;