PROXY Protocol support (rd 2)

backend/internal/nginx.js

@@ -154,7 +154,8 @@ const internalNginx = {
 				for (let i = 0; i < host.locations.length; i++) {
 					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
 						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
-						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
+						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {enable_proxy_protocol: host.enable_proxy_protocol},
+						{load_balancer_ip: host.load_balancer_ip}, {http2_support: host.http2_support},
 						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
 						{certificate: host.certificate}, host.locations[i]);
 

backend/migrations/20220209144645_proxy_protocol.js

@@ -0,0 +1,35 @@
+const migrate_name = 'proxy_protocol';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.table('proxy_host', function (proxy_host) {
+		proxy_host.integer('enable_proxy_protocol').notNull().unsigned().defaultTo(0);
+		proxy_host.string('load_balancer_ip').notNull().defaultTo('');
+	}).then(() => {
+		logger.info('[' + migrate_name + '] proxy_host Table altered');
+	});
+
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+	return Promise.resolve(true);
+};

backend/schema/components/proxy-host-object.json

@@ -17,6 +17,8 @@
 		"advanced_config",
 		"meta",
 		"allow_websocket_upgrade",
+		"enable_proxy_protocol",
+		"load_balancer_ip",
 		"http2_support",
 		"forward_scheme",
 		"enabled",
@@ -77,6 +79,16 @@
 			"example": true,
 			"type": "boolean"
 		},
+		"enable_proxy_protocol": {
+			"description": "Enable PROXY Protocol support",
+			"example": true,
+			"type": "boolean"
+		},
+		"load_balancer_ip": {
+			"type": "string",
+			"minLength": 0,
+			"maxLength": 255
+		},
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},

backend/schema/paths/nginx/proxy-hosts/get.json

@@ -45,6 +45,8 @@
 										"nginx_err": null
 									},
 									"allow_websocket_upgrade": false,
+									"enable_proxy_protocol": false,
+									"load_balancer_ip": "",
 									"http2_support": false,
 									"forward_scheme": "http",
 									"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/get.json

@@ -45,6 +45,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -65,6 +65,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -111,6 +117,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -53,6 +53,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -96,6 +102,8 @@
 								"advanced_config": "",
 								"meta": {},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/templates/_listen.conf

@@ -1,16 +1,28 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 88 proxy_protocol;
+{% if ipv6 -%}
+  listen [::]:88 proxy_protocol;
+{% endif %}  
+{% else -%}
   listen 80;
 {% if ipv6 -%}
   listen [::]:80;
-{% else -%}
-  #listen [::]:80;
+{% endif %}   
 {% endif %}
 {% if certificate -%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl proxy_protocol;
+{% if ipv6 -%}
+  listen [::]:444 ssl proxy_protocol;
+{% endif %}  
+{% else -%}
   listen 443 ssl;
 {% if ipv6 -%}
   listen [::]:443 ssl;
-{% else -%}
-  #listen [::]:443;
+{% endif %}   
 {% endif %}
+{% else %}
+  #listen [::]:443;
 {% endif %}
   server_name {{ domain_names | join: " " }};
 {% if http2_support == 1 or http2_support == true %}

backend/templates/_proxy_protocol.conf

@@ -0,0 +1,6 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+{% if load_balancer_ip != '' %}
+  set_real_ip_from {{ load_balancer_ip }};
+  real_ip_header proxy_protocol;
+{% endif %}
+{% endif %}

backend/templates/proxy_host.conf

@@ -15,6 +15,7 @@ server {
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_proxy_protocol.conf" %}
 
 {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
 proxy_set_header Upgrade $http_upgrade;

frontend/js/app/nginx/proxy/form.ejs

@@ -72,7 +72,7 @@
                                 </label>
                             </div>
                         </div>
-                        <div class="col-sm-12 col-md-12">
+                        <div class="col-sm-6 col-md-6">
                             <div class="form-group">
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
@@ -81,6 +81,21 @@
                                 </label>
                             </div>
                         </div>
+                        <div class="col-sm-6 col-md-6">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input type="checkbox" class="custom-switch-input" name="enable_proxy_protocol" value="1"<%- enable_proxy_protocol ? ' checked' : '' %>>
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%- i18n('proxy-hosts', 'enable-proxy-protocol') %> <a href="https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#introduction" target="_blank"><i class="fe fe-help-circle"></i></a></span>
+                                </label>
+                            </div>
+                        </div>
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('proxy-hosts', 'load-balancer-ip') %>  <a href="https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#changing-the-load-balancers-ip-address-to-the-client-ip-address" target="_blank"><i class="fe fe-help-circle"></i></a></label>
+                                <input type="text" name="load_balancer_ip" class="form-control text-monospace" placeholder="" value="<%- load_balancer_ip %>" autocomplete="off" maxlength="255" <%- enable_proxy_protocol ? '' : ' disabled' %>>
+                            </div>
+                        </div>
 
                         <div class="col-sm-12 col-md-12">
                             <div class="form-group">

frontend/js/app/nginx/proxy/form.js

@@ -43,14 +43,24 @@ module.exports = Mn.View.extend({
         dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
         propagation_seconds:      'input[name="meta[propagation_seconds]"]',
         forward_scheme:           'select[name="forward_scheme"]',
-        letsencrypt:              '.letsencrypt'
+        letsencrypt:              '.letsencrypt',
+        enable_proxy_protocol:    'input[name="enable_proxy_protocol"]',
+        load_balancer_ip:         'input[name="load_balancer_ip"]'
     },
 
     regions: {
         locations_regions: '@ui.locations_container'
     },
 
     events: {
+        'change @ui.enable_proxy_protocol': function () {
+            let checked = this.ui.enable_proxy_protocol.prop('checked');
+            this.ui.load_balancer_ip
+                .prop('disabled', !checked)
+                .parents('.form-group')
+                .css('opacity', checked ? 1 : 0.5);
+        },
+
         'change @ui.certificate_select': function () {
             let id = this.ui.certificate_select.val();
             if (id === 'new') {
@@ -163,6 +173,7 @@ module.exports = Mn.View.extend({
             data.block_exploits          = !!data.block_exploits;
             data.caching_enabled         = !!data.caching_enabled;
             data.allow_websocket_upgrade = !!data.allow_websocket_upgrade;
+            data.enable_proxy_protocol   = !!data.enable_proxy_protocol;
             data.http2_support           = !!data.http2_support;
             data.hsts_enabled            = !!data.hsts_enabled;
             data.hsts_subdomains         = !!data.hsts_subdomains;
@@ -264,6 +275,7 @@ module.exports = Mn.View.extend({
     onRender: function () {
         let view = this;
 
+        this.ui.enable_proxy_protocol.trigger('change');
         this.ui.ssl_forced.trigger('change');
         this.ui.hsts_enabled.trigger('change');
 

frontend/js/i18n/messages.json

@@ -132,8 +132,10 @@
       "access-list": "Access List",
       "allow-websocket-upgrade": "Websockets Support",
       "ignore-invalid-upstream-ssl": "Ignore Invalid SSL",
-      "custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path/",
-      "search": "Search Host…"
+      "custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path",
+      "search": "Search Host…",
+      "enable-proxy-protocol": "Enable PROXY Protocol",
+      "load-balancer-ip": "Load balancer or TCP proxy IP / CIDR range "
     },
     "redirection-hosts": {
       "title": "Redirection Hosts",

frontend/js/models/proxy-host.js

@@ -19,6 +19,8 @@ const model = Backbone.Model.extend({
             hsts_subdomains:         false,
             caching_enabled:         false,
             allow_websocket_upgrade: false,
+            enable_proxy_protocol:   false,
+            load_balancer_ip:        '',
             block_exploits:          false,
             http2_support:           false,
             advanced_config:         '',