Paul B. Henson wrote:
On 11/19/2020 1:37 PM, Howard Chu wrote:
This would require that you actually read and process the proxy header immediately after the accept call. It strikes me that this is the wrong thing to do, if you also want to support TLS.
Unless I'm misunderstanding the specification, that is the only way it would work. The TLS negotiation, barring TLS interception by the proxy, is between the client and the backend server, not between the proxy and the backend server.
Yes, I understand that any TLS session initiated by the client is only between the client and the proxy server. But nobody says the proxy server can't talk to the backend server using its own TLS session. Unless you can point out anywhere in the HAproxy spec that explicitly forbids this.
This does seem to make it susceptible to man in the middle attacks where someone could swap out the proxy protocol data, but I think the general assumption is that the connection between the proxy/load balancer and the backend server is within a trusted network where such an attack is not a concern.
This assumption is not wise.