feat(tls): expose PROXY-recovered client addr to cert callback via SSL ex_data#25
Merged
Conversation
…L ex_data Branched off the commit synapse pins (ae2ef10, which has the proxy-protocol feature) — NOT the regressed main, which lacks proxy_protocol.rs entirely. The server TLS handshake (handshake_with_callback) now stashes the PROXY-protocol-recovered client SocketAddr onto the SSL object via a typed ex_data index, immediately before invoking the certificate_callback. This is the only handshake hook a consumer can read for HTTP/2 connections (the SslStream isn't reachable on the h2 request path), so it lets synapse-proxy correlate the SSL* pointer (== the agent uprobe's ssl_ptr) with the real external client IP and stamp it on decrypted-HTTP IDS alerts. - pingora-openssl: re-export ssl_lib::ex_data so Index is nameable downstream. - pingora-core: new openssl-gated `protocols::tls::client_addr_ex` {set,get} sharing one OnceLock ex_data index. - server.rs: read peer_addr() (recovered) from the socket digest, set it on the SSL before the cert callback. No-op when proxy-proto is off / not inet.
client_addr_ex (gated on openssl_derived) uses crate::tls::ex_data, but only pingora-openssl re-exported it. Mirror the export in pingora-boringssl so the boringssl backend compiles (cargo check --workspace).
alloc-stdlib 0.2.3 pulls alloc-no-stdlib 3.0.0, which coexists with brotli/brotli-decompressors 2.0.x as two incompatible Allocator traits and breaks the build with "StandardAlloc: Allocator not satisfied" on the CI toolchains (cargo check --workspace). Pin alloc-stdlib 0.2.2 (uses 2.0.4) so a single alloc-no-stdlib resolves. Verified with rustc 1.91.1.
cargo-machete flags the alloc-stdlib resolver pin as an unused dependency. It is intentional (constrains alloc-no-stdlib to one version), so add it to [package.metadata.cargo-machete].ignored.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stash the PROXY-protocol-recovered client address on the TLS
SSLobject (via anex_dataindex) just before the server handshake invokes the certificate callback,and expose a small
client_addr_ex::{set,get}helper to read it back.This lets a consumer's
certificate_callbacksee the real client IP even forHTTP/2, where the
SslStreamisn't reachable on the request path.peer_addr()returns the recovered address once
maybe_consume_proxy_headerhas patched theSocketDigest.pingora-core/src/protocols/tls/mod.rs:client_addr_exex_data index + set/get.pingora-core/src/protocols/tls/boringssl_openssl/server.rs: set it before thecert callback.
pingora-openssl/src/lib.rs: re-exportex_data.3 files, +42. openssl_derived only.