On 11/20/2020 4:52 AM, Howard Chu wrote:
client and the proxy server. But nobody says the proxy server can't talk to the backend server using its own TLS session. Unless you can point out anywhere in the HAproxy spec that explicitly forbids this.
Eeehhhh.... I don't think it explicitly forbids it, but that's just not how it says the protocol works :).
"Another approach consists in prepending each connection with a header reporting the characteristics of the other side's connection. This method is simpler to implement, does not require any protocol-specific knowledge on either side, and completely fits the purpose since what is desired precisely is to know the other side's connection endpoints. It is easy to perform for the sender (just send a short header once the connection is established) and to parse for the receiver (simply perform one read() on the incoming connection to fill in addresses after an accept). The protocol used to carry connection information across proxies was thus called the PROXY protocol."
The intention is to be "simple", not require any "protocol specific knowledge" (such as whether or not the connection being proxied uses TLS), and is implemented as "just send a short header", which doesn't explicitly forbid doing a bunch of other stuff, but that's not what is specified.
Another excerpt:
"In both cases, the protocol simply consists in an easily parsable header placed by the connection initiator at the beginning of each connection. The protocol is intentionally stateless in that it does not expect the sender to wait for the receiver before sending the header, nor the receiver to send anything back."
Negotiating its own TLS session would not be stateless…