From 0473c5f0befbca43322135efe25957a8c3a2db67 Mon Sep 17 00:00:00 2001
From: Anton Miniailo <anton@goteleport.com>
Date: Mon, 18 Sep 2023 14:27:35 -0400
Subject: [PATCH] Revert rejecting connection if PROXY header is signed with
 non-local cluster (#32068)

Temporary reverting before we implement proper fix. This caused clusters with changed name (but not updated CA) to become unaccesible.
---
 lib/multiplexer/multiplexer.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/multiplexer/multiplexer.go b/lib/multiplexer/multiplexer.go
index d6cd0533df4d6..1efe642823f9b 100644
--- a/lib/multiplexer/multiplexer.go
+++ b/lib/multiplexer/multiplexer.go
@@ -500,6 +500,13 @@ func (m *Mux) detect(conn net.Conn) (*Conn, error) {
 					}).Warnf("%s - could not get host CA", invalidProxySignatureError)
 					continue
 				}
+				if errors.Is(err, ErrNonLocalCluster) {
+					m.WithFields(log.Fields{
+						"src_addr": conn.RemoteAddr(),
+						"dst_addr": conn.LocalAddr(),
+					}).Debugf("%s - signed by non local cluster", invalidProxySignatureError)
+					continue
+				}
 				if err != nil {
 					return nil, trace.Wrap(err, "%s %s -> %s", invalidProxySignatureError, conn.RemoteAddr(), conn.LocalAddr())
 				}