Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v16] exclude alpn upgrade connections from PROXY line enforcement #45992

Merged
merged 3 commits into from
Aug 29, 2024
Merged

[v16] exclude alpn upgrade connections from PROXY line enforcement #45992

merged 3 commits into from
Aug 29, 2024

Conversation

tigrato
Copy link
Contributor

@tigrato tigrato commented Aug 28, 2024

Backport #45968 to branch/v16

changelog: Prevent connections from being randomly terminated by Teleport proxies when proxy_protocol is enabled and TLS is terminated before Teleport Proxy.

tigrato added 3 commits August 28, 2024 21:45
@tigrato
exclude alpn upgrade connections from PROXY line enforcement
2a47e30 
When clients use multiplex mode behind a TLS-terminating load balancer (LB), Teleport circumvents this limitation by establishing a connection that is upgraded to WebSockets.

On the upgraded WebSocket connection, clients initiate a TLS handshake and send their actual requests.

However, when `proxy_protocol: on` is enabled, the proxy line validation is re-applied to the upgraded connection, causing the request to fail. This occurs because the LB only included the proxy line in the initial WebSocket request, which was consumed. After the upgrade, the connection is routed to the ALPN router, and if it reaches the Kubernetes Proxy, it tries to enforce the presence of the PROXY line.

Since the PROXY line was not present, the request failed.

This PR excludes websocket upgraded connections from PROXY line validation.
@tigrato
rephrase error message and rename function
a97f4d1
@tigrato
simplify code by unwrapping till net.Conn
9729d01
@tigrato tigrato enabled auto-merge August 28, 2024 22:08
@tigrato tigrato added this pull request to the merge queue Aug 29, 2024
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from nklaassen August 29, 2024 01:25
Merged via the queue into branch/v16 with commit ee58c16 Aug 29, 2024
41 checks passed
@tigrato tigrato deleted the bot/backport-45968-branch/v16 branch August 29, 2024 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@greedy52 greedy52 greedy52 approved these changes

Assignees
No one assigned
Labels
backport size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tigrato @greedy52 @rosstimothy