woggioni/rbcs
1
0
Fork 0
Code Actions Packages Releases 6 Wiki Activity

Added server support for proxy protocol

Browse Source
This commit is contained in:
Walter Oggioni
2025-12-29 22:06:48 +08:00
parent 9a9cb4ed2c
commit 5854a632f8
24 changed files with 231 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
rbcs-server/build.gradle
View File

@@ -12,6 +12,7 @@ dependencies {
implementation catalog.netty.handler
implementation catalog.netty.buffer
implementation catalog.netty.transport
implementation catalog.netty.codec.haproxy
api project(':rbcs-common')
api project(':rbcs-api')

1
rbcs-server/src/main/java/module-info.java
View File

@@ -16,6 +16,7 @@ module net.woggioni.rbcs.server {
requires io.netty.buffer;
requires io.netty.common;
requires io.netty.codec;
requires io.netty.codec.haproxy;
requires org.slf4j;
exports net.woggioni.rbcs.server;

13
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/RemoteBuildCacheServer.kt
View File

@@ -20,6 +20,7 @@ import io.netty.channel.socket.nio.NioDatagramChannel
import io.netty.channel.socket.nio.NioServerSocketChannel
import io.netty.channel.socket.nio.NioSocketChannel
import io.netty.handler.codec.compression.CompressionOptions
import io.netty.handler.codec.haproxy.HAProxyMessageDecoder
import io.netty.handler.codec.http.DefaultHttpContent
import io.netty.handler.codec.http.HttpContentCompressor
import io.netty.handler.codec.http.HttpDecoderConfig
@@ -57,6 +58,7 @@ import javax.net.ssl.SSLPeerUnverifiedException
import net.woggioni.rbcs.api.AsyncCloseable
import net.woggioni.rbcs.api.Configuration
import net.woggioni.rbcs.api.exception.ConfigurationException
import net.woggioni.rbcs.common.Cidr
import net.woggioni.rbcs.common.PasswordSecurity.decodePasswordHash
import net.woggioni.rbcs.common.PasswordSecurity.hashPassword
import net.woggioni.rbcs.common.RBCS.getTrustManager
@@ -73,6 +75,7 @@ import net.woggioni.rbcs.server.configuration.Parser
import net.woggioni.rbcs.server.configuration.Serializer
import net.woggioni.rbcs.server.exception.ExceptionHandler
import net.woggioni.rbcs.server.handler.MaxRequestSizeHandler
import net.woggioni.rbcs.server.handler.ProxyProtocolHandler
import net.woggioni.rbcs.server.handler.ReadTriggerDuplexHandler
import net.woggioni.rbcs.server.handler.ServerHandler
import net.woggioni.rbcs.server.throttling.BucketManager
@@ -85,6 +88,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
val userAttribute: AttributeKey<Configuration.User> = AttributeKey.valueOf("user")
val groupAttribute: AttributeKey<Set<Configuration.Group>> = AttributeKey.valueOf("group")
val clientIp: AttributeKey<InetSocketAddress> = AttributeKey.valueOf("client-ip")
val DEFAULT_CONFIGURATION_URL by lazy { "jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/rbcs-default.xml".toUrl() }
private const val SSL_HANDLER_NAME = "sslHandler"
@@ -234,6 +238,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
else ClientAuth.OPTIONAL
} ?: ClientAuth.NONE
clientAuth(clientAuth)
}.build()
}
}
@@ -259,6 +264,9 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
else -> null
}
private val proxyProtocolEnabled: Boolean = cfg.isProxyProtocolEnabled
private val trustedProxyIPs: List<Cidr> = cfg.trustedProxyIPs
private val sslContext: SslContext? = cfg.tls?.let(Companion::createSslCtx)
private fun userExtractor(authentication: Configuration.ClientCertificateAuthentication) =
@@ -290,6 +298,7 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
}
override fun initChannel(ch: Channel) {
ch.attr(clientIp).set(ch.remoteAddress() as InetSocketAddress)
log.debug {
"Created connection ${ch.id().asShortText()} with ${ch.remoteAddress()}"
}
@@ -338,6 +347,10 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
}
}
})
if(proxyProtocolEnabled) {
pipeline.addLast(HAProxyMessageDecoder())
pipeline.addLast(ProxyProtocolHandler(trustedProxyIPs))
}
sslContext?.newHandler(ch.alloc())?.also {
pipeline.addLast(SSL_HANDLER_NAME, it)
}

1
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/auth/Authenticator.kt
View File

@@ -72,5 +72,4 @@ abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer
ReferenceCountUtil.release(msg)
ctx.writeAndFlush(NOT_AUTHORIZED.retainedDuplicate()).addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
}
}

2
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/cache/InMemoryCacheHandler.kt vendored
View File

@@ -2,8 +2,6 @@ package net.woggioni.rbcs.server.cache
import io.netty.buffer.ByteBuf
import io.netty.channel.ChannelHandlerContext
import java.io.ByteArrayInputStream
import java.io.ByteArrayOutputStream
import java.util.zip.Deflater
import java.util.zip.DeflaterOutputStream
import java.util.zip.InflaterOutputStream

28
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/configuration/Parser.kt
View File

@@ -16,6 +16,7 @@ import net.woggioni.rbcs.api.Configuration.TrustStore
import net.woggioni.rbcs.api.Configuration.User
import net.woggioni.rbcs.api.Role
import net.woggioni.rbcs.api.exception.ConfigurationException
import net.woggioni.rbcs.common.Cidr
import net.woggioni.rbcs.common.Xml.Companion.asIterable
import net.woggioni.rbcs.common.Xml.Companion.renderAttribute
import org.w3c.dom.Document
@@ -38,6 +39,8 @@ object Parser {
var cache: Cache? = null
var host = "127.0.0.1"
var port = 11080
var proxyProtocolEnabled = false
var trustedProxies = emptyList<Cidr>()
var users: Map<String, User> = mapOf(anonymousUser.name to anonymousUser)
var groups = emptyMap<String, Group>()
var tls: Tls? = null
@@ -98,9 +101,23 @@ object Parser {
"bind" -> {
host = child.renderAttribute("host") ?: throw ConfigurationException("host attribute is required")
port = Integer.parseInt(child.renderAttribute("port"))
proxyProtocolEnabled = child.renderAttribute("proxy-protocol")
?.let(String::toBoolean) ?: false
incomingConnectionsBacklogSize = child.renderAttribute("incoming-connections-backlog-size")
?.let(Integer::parseInt)
?: 1024
for(grandChild in child.asIterable()) {
when(grandChild.localName) {
"trusted-proxies" -> {
trustedProxies = parseTrustedProxies(grandChild)
}
}
}
child.asIterable().filter {
it.localName == "trusted-proxies"
}.firstOrNull()?.let(::parseTrustedProxies)
}
"cache" -> {
@@ -195,6 +212,8 @@ object Parser {
return Configuration.of(
host,
port,
proxyProtocolEnabled,
trustedProxies,
incomingConnectionsBacklogSize,
serverPath,
eventExecutor,
@@ -217,6 +236,15 @@ object Parser {
}
}.toSet()
private fun parseTrustedProxies(root: Element) = root.asIterable().asSequence().map {
when (it.localName) {
"allow" -> it.renderAttribute("cidr")
?.let(Cidr::from)
?: throw ConfigurationException("Missing 'cidr' attribute")
else -> throw ConfigurationException("Unrecognized tag '${it.localName}'")
}
}.toList()
private fun parseUserRefs(root: Element) = root.asIterable().asSequence().map {
when (it.localName) {
"user" -> it.renderAttribute("ref")

11
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/configuration/Serializer.kt
View File

@@ -33,6 +33,17 @@ object Serializer {
attr("host", conf.host)
attr("port", conf.port.toString())
attr("incoming-connections-backlog-size", conf.incomingConnectionsBacklogSize.toString())
attr("proxy-protocol", conf.isProxyProtocolEnabled.toString())
if (conf.trustedProxyIPs.isNotEmpty()) {
node("trusted-proxies") {
for(trustedProxy in conf.trustedProxyIPs) {
node("allow") {
attr("cidr", trustedProxy.toString())
}
}
}
}
}
node("connection") {
conf.connection.let { connection ->

40
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/handler/ProxyProtocolHandler.kt Normal file
View File

@@ -0,0 +1,40 @@
package net.woggioni.rbcs.server.handler
import io.netty.channel.ChannelHandlerContext
import io.netty.channel.SimpleChannelInboundHandler
import io.netty.handler.codec.haproxy.HAProxyMessage
import java.net.InetAddress
import java.net.InetSocketAddress
import net.woggioni.rbcs.common.Cidr
import net.woggioni.rbcs.common.createLogger
import net.woggioni.rbcs.common.trace
import net.woggioni.rbcs.server.RemoteBuildCacheServer
class ProxyProtocolHandler(private val trustedProxyIPs : List<Cidr>) : SimpleChannelInboundHandler<HAProxyMessage>() {
companion object {
private val log = createLogger<ProxyProtocolHandler>()
}
override fun channelRead0(
ctx: ChannelHandlerContext,
msg: HAProxyMessage
) {
val sourceAddress = ctx.channel().remoteAddress()
if (sourceAddress is InetSocketAddress &&
trustedProxyIPs.isEmpty() ||
trustedProxyIPs.any { it.contains((sourceAddress as InetSocketAddress).address) }) {
val proxiedClientAddress = InetSocketAddress(
InetAddress.ofLiteral(msg.sourceAddress()),
msg.sourcePort()
)
if(log.isTraceEnabled) {
log.trace {
"Received proxied request from $sourceAddress forwarded for $proxiedClientAddress"
}
}
ctx.channel().attr(RemoteBuildCacheServer.clientIp).set(proxiedClientAddress)
}
}
}

3
rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/throttling/ThrottlingHandler.kt
View File

@@ -197,7 +197,8 @@ class ThrottlingHandler(
}
}
if (user == null && groups.isEmpty()) {
bucketManager.getBucketByAddress(ctx.channel().remoteAddress() as InetSocketAddress)?.let(buckets::add)
val clientAddress = ctx.channel().attr<InetSocketAddress>(RemoteBuildCacheServer.clientIp).get()
bucketManager.getBucketByAddress(clientAddress)?.let(buckets::add)
}
var nextAttempt = -1L

35
rbcs-server/src/main/resources/net/woggioni/rbcs/server/schema/rbcs-server.xsd
View File

@@ -62,6 +62,9 @@
</xs:complexType>
<xs:complexType name="bindType">
<xs:sequence minOccurs="0">
<xs:element name="trusted-proxies" type="rbcs:trustedProxiesType"/>
</xs:sequence>
<xs:attribute name="host" type="xs:token" use="required">
<xs:annotation>
<xs:documentation>Server bind address</xs:documentation>
@@ -72,6 +75,12 @@
<xs:documentation>Server port number</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="proxy-protocol" type="xs:boolean" use="optional">
<xs:annotation>
<xs:documentation>Enable proxy protocol</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="incoming-connections-backlog-size" type="xs:unsignedInt" use="optional" default="1024">
<xs:annotation>
<xs:documentation>
@@ -83,6 +92,16 @@
</xs:attribute>
</xs:complexType>
<xs:complexType name="trustedProxiesType">
<xs:sequence minOccurs="0">
<xs:element name="allow" type="rbcs:allowType" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowType">
<xs:attribute name="cidr" type="rbcs:cidr"/>
</xs:complexType>
<xs:complexType name="connectionType">
<xs:attribute name="idle-timeout" type="xs:duration" use="optional" default="PT30S">
<xs:annotation>
@@ -681,4 +700,20 @@
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="cidrIPv4">
<xs:restriction base="xs:string">
<xs:pattern value="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="cidrIPv6">
<xs:restriction base="xs:string">
<xs:pattern value="((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(:([0-9A-Fa-f]{1,4}){1,7}|:)))(%[\p{L}\p{N}_-]+)?\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="cidr">
<xs:union memberTypes="rbcs:cidrIPv4 rbcs:cidrIPv6" />
</xs:simpleType>
</xs:schema>

2
rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/AbstractBasicAuthServerTest.kt
View File

@@ -34,6 +34,8 @@ abstract class AbstractBasicAuthServerTest : AbstractServerTest() {
cfg = Configuration.of(
"127.0.0.1",
getFreePort(),
false,
emptyList(),
50,
serverPath,
Configuration.EventExecutor(false),

3
rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/AbstractTlsServerTest.kt
View File

@@ -140,6 +140,9 @@ abstract class AbstractTlsServerTest : AbstractServerTest() {
cfg = Configuration(
"127.0.0.1",
getFreePort(),
false,
emptyList(),
100,
serverPath,
Configuration.EventExecutor(false),

2
rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/NoAuthServerTest.kt
View File

@@ -34,6 +34,8 @@ class NoAuthServerTest : AbstractServerTest() {
cfg = Configuration(
"127.0.0.1",
getFreePort(),
false,
emptyList(),
100,
serverPath,
Configuration.EventExecutor(false),

8
rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/valid/rbcs-default.xml
View File

@@ -2,7 +2,13 @@
<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
xmlns:rbcs="urn:net.woggioni.rbcs.server"
xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs-server.xsd">
<bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="22"/>
<bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="22" proxy-protocol="true">
<trusted-proxies>
<allow cidr="192.168.0.11/32"/>
<allow cidr="::1/128"/>
<allow cidr="fda7:9b54:5678::2f9/128"/>
</trusted-proxies>
</bind>
<connection
read-idle-timeout="PT10M"
write-idle-timeout="PT11M"