1#- 2# Copyright (c) 2018 GANDI SAS 3# All rights reserved. 4# 5# Author: Emmanuel Hocdet <manu@gandi.net> 6# 7# SPDX-License-Identifier: BSD-2-Clause 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21# ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28# SUCH DAMAGE. 29 30$ABI strict 31$Module proxy 3 "Varnish Module to extract TLV attributes from PROXYv2" 32 33DESCRIPTION 34=========== 35 36*vmod_proxy* contains functions to extract proxy-protocol-v2 TLV 37attributes as described in 38https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt. 39 40$Function STRING alpn() 41 42Extract ALPN attribute. 43 44Example:: 45 46 set req.http.alpn = proxy.alpn(); 47 48$Function STRING authority() 49 50Extract authority attribute. This corresponds to SNI from a TLS 51connection. 52 53Example:: 54 55 set req.http.authority = proxy.authority(); 56 57$Function BOOL is_ssl() 58 59Report if proxy-protocol-v2 has SSL TLV. 60 61Example:: 62 63 if (proxy.is_ssl()) { 64 set req.http.ssl-version = proxy.ssl_version(); 65 } 66 67$Function BOOL client_has_cert_sess() 68 69Report if the client provided a certificate at least once over the TLS 70session this connection belongs to. 71 72$Function BOOL client_has_cert_conn() 73 74Report if the client provided a certificate over the current 75connection. 76 77$Function INT ssl_verify_result() 78 79Report the SSL_get_verify_result from a TLS session. It only matters 80if client_has_cert_sess() is true. Per default, value is set to 0 81(X509_V_OK). 82 83Example:: 84 85 if (proxy.client_has_cert_sess() && proxy.ssl_verify_result() == 0) { 86 set req.http.ssl-verify = "ok"; 87 } 88 89$Function STRING ssl_version() 90 91Extract SSL version attribute. 92 93Example:: 94 95 set req.http.ssl-version = proxy.ssl_version(); 96 97$Function STRING client_cert_cn() 98 99Extract the common name attribute of the client certificate's. 100 101Example:: 102 set req.http.cert-cn = proxy.client_cert_cn(); 103 104$Function STRING ssl_cipher() 105 106Extract the SSL cipher attribute. 107 108Example:: 109 110 set req.http.ssl-cipher = proxy.ssl_cipher(); 111 112$Function STRING cert_sign() 113 114Extract the certificate signature algorithm attribute. 115 116Example:: 117 118 set req.http.cert-sign = proxy.cert_sign(); 119 120$Function STRING cert_key() 121 122Extract the certificate key algorithm attribute. 123 124Example:: 125 126 set req.http.cert-key = proxy.cert_key(); 127 128SEE ALSO 129======== 130 131* :ref:`varnishd(1)` 132* :ref:`vsl(7)` 133