Reject non-proxied connections when proxy protocol is enabled532-proxy-protocol-require

This will help to prevent misconfigurations. Changelog: fixed
author: Nick Thomas <nick@gitlab.com> 2021-10-12 12:12:34 +0100
committer: Nick Thomas <nick@gitlab.com> 2021-10-12 12:12:34 +0100
commit: 22e0350f75fed9f79bac1f68cc5d8a55d6591b84 (patch)
tree: 1068e45375da83dcebb324fb78fff00ade8dbeed /internal/sshd/sshd.go
parent: 2ccc5ab15ba57f98a3af70757e24c0a7992b9ac8 (diff)
download: gitlab-shell-532-proxy-protocol-require.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/internal/sshd/sshd.go b/internal/sshd/sshd.go
index 19fa661..d765faf 100644
--- a/internal/sshd/sshd.go
+++ b/internal/sshd/sshd.go
@@ -94,6 +94,7 @@ func (s *Server) listen(ctx context.Context) error {
 	if s.Config.Server.ProxyProtocol {
 		sshListener = &proxyproto.Listener{
 			Listener:          sshListener,
+			Policy:            unconditionalRequirePolicy,
 			ReadHeaderTimeout: ProxyHeaderTimeout,
 		}
 
@@ -185,3 +186,7 @@ func (s *Server) handleConn(ctx context.Context, nconn net.Conn) {
 
 	ctxlog.Info("server: handleConn: done")
 }
+
+func unconditionalRequirePolicy(_ net.Addr) (proxyproto.Policy, error) {
+	return proxyproto.REQUIRE, nil
+}
author	Nick Thomas <nick@gitlab.com>	2021-10-12 12:12:34 +0100
committer	Nick Thomas <nick@gitlab.com>	2021-10-12 12:12:34 +0100
commit	22e0350f75fed9f79bac1f68cc5d8a55d6591b84 (patch)
tree	1068e45375da83dcebb324fb78fff00ade8dbeed /internal/sshd/sshd.go
parent	2ccc5ab15ba57f98a3af70757e24c0a7992b9ac8 (diff)
download	gitlab-shell-532-proxy-protocol-require.tar.gz