Skip to main content

Module proxy_protocol

Module proxy_protocol 

Source
Expand description

PROXY protocol v2 reception (ADR 000057): restore the real client address behind an L4 load balancer, at the only possible point — after accept, before the TLS handshake / HTTP parse.

Two layers, deliberately split:

  • parse_proxy_v2 — a pure, I/O-free parser over a byte slice (the fuzz target). Written from the public spec (proxy-protocol.txt, HAProxy Technologies) alone; v2 binary form only, v1 text form is not accepted (ADR 000057).
  • [resolve_peer] — the listener-side I/O: bounded reads under a deadline for trusted peers (the header is mandatory there), a non-consuming signature peek for untrusted peers (their bytes belong to TLS/HTTP), every anomaly fail-closed as a typed fault.

The module is pub so the out-of-workspace fuzz harness (fuzz/) can drive the parser; it is not a semver surface (the crate is publish = false).

Enums§

Parsed
The parser’s verdict over the bytes seen so far.
ProxyV2
A complete, valid v2 header, reduced to what the listener consumes.
ProxyV2Error
Why a byte sequence is not a valid v2 header. Every variant is a connection-fatal fault code (fail-closed, ADR 000057) — there is no “tolerate and pass through”.

Constants§

MAX_DECLARED_LEN
Cap on the self-described length (address block + TLVs). The spec sizes the header to fit a 536-byte minimal TCP segment; 2 KiB is generous for every real sender while bounding the read (ADR 000057 — bounded reads on untrusted input).
PREFIX_LEN
The fixed prefix: signature + version/command + family/protocol + declared length.
SIGNATURE
The 12-byte v2 signature. Contains an interior NUL — never treat as a C string (spec §2.2).

Functions§

parse_proxy_v2
Parse a PROXY protocol v2 header from the start of buf — pure and total: no I/O, no panics on any input (the fuzz target’s invariant, P11). Errors take precedence over Incomplete as soon as the offending byte is visible, so a bad peer is cut without waiting for bytes that would change nothing.