Expand description
PROXY protocol v2 reception (ADR 000057): restore the real client address behind an L4 load balancer, at the only possible point — after accept, before the TLS handshake / HTTP parse.
Two layers, deliberately split:
parse_proxy_v2— a pure, I/O-free parser over a byte slice (the fuzz target). Written from the public spec (proxy-protocol.txt, HAProxy Technologies) alone; v2 binary form only, v1 text form is not accepted (ADR 000057).- [
resolve_peer] — the listener-side I/O: bounded reads under a deadline for trusted peers (the header is mandatory there), a non-consuming signature peek for untrusted peers (their bytes belong to TLS/HTTP), every anomaly fail-closed as a typed fault.
The module is pub so the out-of-workspace fuzz harness (fuzz/) can drive the parser; it
is not a semver surface (the crate is publish = false).
Enums§
- Parsed
- The parser’s verdict over the bytes seen so far.
- ProxyV2
- A complete, valid v2 header, reduced to what the listener consumes.
- Proxy
V2Error - Why a byte sequence is not a valid v2 header. Every variant is a connection-fatal fault code (fail-closed, ADR 000057) — there is no “tolerate and pass through”.
Constants§
- MAX_
DECLARED_ LEN - Cap on the self-described length (address block + TLVs). The spec sizes the header to fit a 536-byte minimal TCP segment; 2 KiB is generous for every real sender while bounding the read (ADR 000057 — bounded reads on untrusted input).
- PREFIX_
LEN - The fixed prefix: signature + version/command + family/protocol + declared length.
- SIGNATURE
- The 12-byte v2 signature. Contains an interior NUL — never treat as a C string (spec §2.2).
Functions§
- parse_
proxy_ v2 - Parse a PROXY protocol v2 header from the start of
buf— pure and total: no I/O, no panics on any input (the fuzz target’s invariant, P11). Errors take precedence overIncompleteas soon as the offending byte is visible, so a bad peer is cut without waiting for bytes that would change nothing.