aboutsummaryrefslogtreecommitdiffstats
path: root/cmd
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2022-08-21 19:20:43 +0100
committerGitHub <noreply@github.com>2022-08-21 19:20:43 +0100
commit943753f560fab8bb01946618b16c694bc2032827 (patch)
treed4faa0f8bde73d61ee00d7252ceb79f8334088b1 /cmd
parent0b4c166e8a90beeb1e71ee2fc16b3a240517c82d (diff)
downloadgitea-943753f560fab8bb01946618b16c694bc2032827.tar.gz
gitea-943753f560fab8bb01946618b16c694bc2032827.zip
Support Proxy protocol (#12527)
This PR adds functionality to allow Gitea to sit behind an HAProxy and HAProxy protocolled connections directly. Fix #7508 Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/web.go26
-rw-r--r--cmd/web_acme.go4
-rw-r--r--cmd/web_graceful.go8
-rw-r--r--cmd/web_https.go10
4 files changed, 23 insertions, 25 deletions
diff --git a/cmd/web.go b/cmd/web.go
index 3bc61b0443..43f106f780 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -76,7 +76,7 @@ func runHTTPRedirector() {
http.Redirect(w, r, target, http.StatusTemporaryRedirect)
})
- err := runHTTP("tcp", source, "HTTP Redirector", handler)
+ err := runHTTP("tcp", source, "HTTP Redirector", handler, setting.RedirectorUseProxyProtocol)
if err != nil {
log.Fatal("Failed to start port redirection: %v", err)
}
@@ -231,40 +231,38 @@ func listen(m http.Handler, handleRedirector bool) error {
if handleRedirector {
NoHTTPRedirector()
}
- err = runHTTP("tcp", listenAddr, "Web", m)
+ err = runHTTP("tcp", listenAddr, "Web", m, setting.UseProxyProtocol)
case setting.HTTPS:
if setting.EnableAcme {
err = runACME(listenAddr, m)
break
- } else {
- if handleRedirector {
- if setting.RedirectOtherPort {
- go runHTTPRedirector()
- } else {
- NoHTTPRedirector()
- }
+ }
+ if handleRedirector {
+ if setting.RedirectOtherPort {
+ go runHTTPRedirector()
+ } else {
+ NoHTTPRedirector()
}
- err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m)
}
+ err = runHTTPS("tcp", listenAddr, "Web", setting.CertFile, setting.KeyFile, m, setting.UseProxyProtocol, setting.ProxyProtocolTLSBridging)
case setting.FCGI:
if handleRedirector {
NoHTTPRedirector()
}
- err = runFCGI("tcp", listenAddr, "FCGI Web", m)
+ err = runFCGI("tcp", listenAddr, "FCGI Web", m, setting.UseProxyProtocol)
case setting.HTTPUnix:
if handleRedirector {
NoHTTPRedirector()
}
- err = runHTTP("unix", listenAddr, "Web", m)
+ err = runHTTP("unix", listenAddr, "Web", m, setting.UseProxyProtocol)
case setting.FCGIUnix:
if handleRedirector {
NoHTTPRedirector()
}
- err = runFCGI("unix", listenAddr, "Web", m)
+ err = runFCGI("unix", listenAddr, "Web", m, setting.UseProxyProtocol)
default:
log.Fatal("Invalid protocol: %s", setting.Protocol)
}
-
if err != nil {
log.Critical("Failed to start server: %v", err)
}
diff --git a/cmd/web_acme.go b/cmd/web_acme.go
index 57b400dae6..d8e550b321 100644
--- a/cmd/web_acme.go
+++ b/cmd/web_acme.go
@@ -113,14 +113,14 @@ func runACME(listenAddr string, m http.Handler) error {
log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
- err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
+ err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)), setting.RedirectorUseProxyProtocol)
if err != nil {
log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
}
}()
}
- return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m)
+ return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m, setting.UseProxyProtocol, setting.ProxyProtocolTLSBridging)
}
func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
diff --git a/cmd/web_graceful.go b/cmd/web_graceful.go
index 1618208c55..ba88cc59c2 100644
--- a/cmd/web_graceful.go
+++ b/cmd/web_graceful.go
@@ -15,8 +15,8 @@ import (
"code.gitea.io/gitea/modules/setting"
)
-func runHTTP(network, listenAddr, name string, m http.Handler) error {
- return graceful.HTTPListenAndServe(network, listenAddr, name, m)
+func runHTTP(network, listenAddr, name string, m http.Handler, useProxyProtocol bool) error {
+ return graceful.HTTPListenAndServe(network, listenAddr, name, m, useProxyProtocol)
}
// NoHTTPRedirector tells our cleanup routine that we will not be using a fallback http redirector
@@ -36,7 +36,7 @@ func NoInstallListener() {
graceful.GetManager().InformCleanup()
}
-func runFCGI(network, listenAddr, name string, m http.Handler) error {
+func runFCGI(network, listenAddr, name string, m http.Handler, useProxyProtocol bool) error {
// This needs to handle stdin as fcgi point
fcgiServer := graceful.NewServer(network, listenAddr, name)
@@ -47,7 +47,7 @@ func runFCGI(network, listenAddr, name string, m http.Handler) error {
}
m.ServeHTTP(resp, req)
}))
- })
+ }, useProxyProtocol)
if err != nil {
log.Fatal("Failed to start FCGI main server: %v", err)
}
diff --git a/cmd/web_https.go b/cmd/web_https.go
index b0910ca040..aac11517a6 100644
--- a/cmd/web_https.go
+++ b/cmd/web_https.go
@@ -129,14 +129,14 @@ var (
defaultCiphersChaChaFirst = append(defaultCiphersChaCha, defaultCiphersAES...)
)
-// runHTTPs listens on the provided network address and then calls
+// runHTTPS listens on the provided network address and then calls
// Serve to handle requests on incoming TLS connections.
//
// Filenames containing a certificate and matching private key for the server must
// be provided. If the certificate is signed by a certificate authority, the
// certFile should be the concatenation of the server's certificate followed by the
// CA's certificate.
-func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handler) error {
+func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handler, useProxyProtocol, proxyProtocolTLSBridging bool) error {
tlsConfig := &tls.Config{}
if tlsConfig.NextProtos == nil {
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
@@ -184,9 +184,9 @@ func runHTTPS(network, listenAddr, name, certFile, keyFile string, m http.Handle
return err
}
- return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m)
+ return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m, useProxyProtocol, proxyProtocolTLSBridging)
}
-func runHTTPSWithTLSConfig(network, listenAddr, name string, tlsConfig *tls.Config, m http.Handler) error {
- return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m)
+func runHTTPSWithTLSConfig(network, listenAddr, name string, tlsConfig *tls.Config, m http.Handler, useProxyProtocol, proxyProtocolTLSBridging bool) error {
+ return graceful.HTTPListenAndServeTLSConfig(network, listenAddr, name, tlsConfig, m, useProxyProtocol, proxyProtocolTLSBridging)
}