PROXY Protocol Round 3?

backend/internal/nginx.js

@@ -157,6 +157,8 @@ const internalNginx = {
 						{ caching_enabled: host.caching_enabled },
 						{ block_exploits: host.block_exploits },
 						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
+						{ enable_proxy_protocol: host.enable_proxy_protocol },
+						{ load_balancer_ip: host.load_balancer_ip },
 						{ http2_support: host.http2_support },
 						{ hsts_enabled: host.hsts_enabled },
 						{ hsts_subdomains: host.hsts_subdomains },

backend/migrations/20220209144645_proxy_protocol.js

@@ -0,0 +1,41 @@
+const migrate_name = "proxy_protocol";
+import { migrate as logger } from "../logger.js";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrate_name}] Migrating Up...`);
+
+	return knex.schema.table("proxy_host", (table) => {
+		table.integer("enable_proxy_protocol").notNull().unsigned().defaultTo(0);
+		table.string("load_balancer_ip").notNull().defaultTo("");
+	}).then(() => {
+		logger.info(`[${migrate_name}] proxy_host Table altered`);
+	});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const down = (_knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);
+
+	return knex.schema.table("proxy_host", (table) => {
+		table.dropColumn("enable_proxy_protocol");
+		table.dropColumn("load_balancer_ip");
+	})
+	.then(() => {
+		logger.info(`[${migrateName}] proxy_host Table altered`);
+	});
+};
+
+export { up, down };

backend/models/proxy_host.js

@@ -22,6 +22,7 @@ const boolFields = [
 	"hsts_enabled",
 	"hsts_subdomains",
 	"trust_forwarded_proto",
+	"enable_proxy_protocol",
 ];
 
 class ProxyHost extends Model {

backend/schema/components/proxy-host-object.json

@@ -17,6 +17,8 @@
 		"advanced_config",
 		"meta",
 		"allow_websocket_upgrade",
+		"enable_proxy_protocol",
+		"load_balancer_ip",
 		"http2_support",
 		"forward_scheme",
 		"enabled",
@@ -84,6 +86,18 @@
 			"type": "boolean",
 			"example": true
 		},
+		"enable_proxy_protocol": {
+			"description": "Enable PROXY Protocol support",
+			"example": true,
+			"type": "boolean"
+		},
+		"load_balancer_ip": {
+			"description": "Load balancer or TCP proxy IP / CIDR range",
+			"type": "string",
+			"minLength": 0,
+			"maxLength": 255,
+			"example": "10.0.9.3"
+		},
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},

backend/schema/paths/nginx/proxy-hosts/get.json

@@ -53,6 +53,8 @@
 										"nginx_err": null
 									},
 									"allow_websocket_upgrade": false,
+									"enable_proxy_protocol": false,
+									"load_balancer_ip": "",
 									"http2_support": false,
 									"forward_scheme": "http",
 									"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/get.json

@@ -50,6 +50,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -71,6 +71,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -119,6 +125,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -63,6 +63,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -116,6 +122,8 @@
 								"advanced_config": "",
 								"meta": {},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/templates/_listen.conf

@@ -1,20 +1,38 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 88 proxy_protocol;
+  listen 80;
+{% if ipv6 -%}
+  listen [::]:88 proxy_protocol;
+  listen [::]:80;
+{% endif %}
+{% else -%}
   listen 80;
 {% if ipv6 -%}
   listen [::]:80;
 {% else -%}
   #listen [::]:80;
+{% endif %}   
 {% endif %}
 {% if certificate -%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl proxy_protocol;
+  listen 443 ssl;
+{% if ipv6 -%}
+  listen [::]:444 ssl proxy_protocol;
+  listen [::]:443 ssl;
+{% endif %}
+{% else -%}
   listen 443 ssl;
 {% if ipv6 -%}
   listen [::]:443 ssl;
 {% else -%}
   #listen [::]:443;
 {% endif %}
+{% endif %}
 {% endif %}
   server_name {{ domain_names | join: " " }};
 {% if http2_support == 1 or http2_support == true %}
   http2 on;
 {% else -%}
   http2 off;
-{% endif %}
+{% endif %}

backend/templates/_proxy_protocol.conf

@@ -0,0 +1,6 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+{% if load_balancer_ip != '' %}
+  set_real_ip_from {{ load_balancer_ip }};
+{% endif %}
+real_ip_header proxy_protocol;
+{% endif %}

backend/templates/proxy_host.conf

@@ -15,6 +15,7 @@ server {
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_proxy_protocol.conf" %}
 
 {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
 proxy_set_header Upgrade $http_upgrade;

docker/docker-compose.dev.yml

@@ -9,7 +9,9 @@ services:
     ports:
       - 3080:80
       - 3081:81
+      - 3088:88
       - 3443:443
+      - 3444:444
     networks:
       nginx_proxy_manager:
         aliases:

frontend/src/api/backend/models.ts

@@ -122,6 +122,8 @@ export interface ProxyHost {
 	advancedConfig: string;
 	meta: Record<string, any>;
 	allowWebsocketUpgrade: boolean;
+	enableProxyProtocol: boolean;
+	loadBalancerIp: string;
 	http2Support: boolean;
 	enabled: boolean;
 	locations?: ProxyLocation[];

frontend/src/hooks/useProxyHost.ts

@@ -19,6 +19,8 @@ const fetchProxyHost = (id: number | "new") => {
 			advancedConfig: "",
 			meta: {},
 			allowWebsocketUpgrade: false,
+			enableProxyProtocol: false,
+			loadBalancerIp: "",
 			http2Support: false,
 			forwardScheme: "",
 			enabled: true,

frontend/src/locale/src/bg.json

@@ -365,6 +365,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Кеширане на ресурси"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Запазване на пътя"
 	},
@@ -380,6 +383,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Схема"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Хостове"
 	},

frontend/src/locale/src/cs.json

@@ -422,6 +422,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Uložit zdroje do mezipaměti"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Zachovat cestu"
 	},
@@ -437,6 +440,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Schéma"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hostitelé"
 	},

frontend/src/locale/src/de.json

@@ -350,6 +350,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Cache Assets"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Pfad beibehalten"
 	},
@@ -365,6 +368,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Schema"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hosts"
 	},

frontend/src/locale/src/en.json

@@ -428,6 +428,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Cache Assets"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Preserve Path"
 	},
@@ -443,6 +446,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Scheme"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hosts"
 	},

frontend/src/locale/src/es.json

@@ -365,6 +365,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Cachear Recursos"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Preservar Ruta"
 	},
@@ -380,6 +383,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Esquema"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hosts"
 	},

frontend/src/locale/src/et.json

@@ -428,6 +428,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Cache Assets"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Preserve Path"
 	},
@@ -443,6 +446,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Scheme"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hosts"
 	},

frontend/src/locale/src/fr.json

@@ -338,6 +338,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Ressources du cache"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Préserver le chemin"
 	},
@@ -353,6 +356,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Schéma"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Hôtes"
 	},

frontend/src/locale/src/ga.json

@@ -353,6 +353,9 @@
 	"host.flags.cache-assets": {
 		"defaultMessage": "Sócmhainní Taisce"
 	},
+	"host.flags.enable-proxy-protocol": {
+		"defaultMessage": "Enable PROXY Protocol"
+	},
 	"host.flags.preserve-path": {
 		"defaultMessage": "Cosán a Chaomhnú"
 	},
@@ -368,6 +371,9 @@
 	"host.forward-scheme": {
 		"defaultMessage": "Scéim"
 	},
+	"host.load-balancer-ip": {
+		"defaultMessage": "Load balancer or TCP proxy IP / CIDR range"
+	},
 	"hosts": {
 		"defaultMessage": "Óstaigh"
 	},