Skip to content

Also setting destination values #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Also setting destination values #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 50 additions & 17 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,39 +1,72 @@
node-proxywrap
==============

This module wraps node's various `Server` interfaces so that they are compatible with the [PROXY protocol](http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt). It automatically parses the PROXY headers and resets `socket.remoteAddress` and `socket.remotePort` so that they have the correct values.
[1]: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
[2]: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html

This module wraps node's various `Server` interfaces so that they are
compatible with the [PROXY protocol][1]. It automatically parses the
PROXY headers and resets the following socket properties so that they
have the correct values:

socket.sourceAddress
socket.sourcePort
socket.destinationAddress
socket.destinationPort

Install it with:

npm install proxywrap

This module is especially useful if you need to get the client IP address when you're behind an AWS ELB in TCP mode.
This module is especially useful if you need to get the client IP
address when you're behind an AWS ELB in TCP mode.

In HTTP or HTTPS mode (aka SSL termination at ELB), the ELB inserts `X-Forwarded-For` headers for you. However, in TCP mode, the ELB can't understand the underlying protocol, so you lose the client's IP address. With the PROXY protocol and this module, you're able to retain the client IP address with any protocol.
In HTTP or HTTPS mode (aka SSL termination at ELB), the ELB inserts
`X-Forwarded-For` headers for you. However, in TCP mode, the ELB
can't understand the underlying protocol, so you lose the client's IP
address. With the PROXY protocol and this module, you're able to
retain the client IP address with any protocol.

In order for this module to work, you must [enable the PROXY protocol on your ELB](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html) (or whatever proxy your app is behind).
In order for this module to work, you must [enable the PROXY protocol
on your ELB][2] (or whatever proxy your app is behind).

Usage
-----

proxywrap is a drop-in replacement. Here's a simple Express app:

var http = require('http')
, proxiedHttp = require('proxywrap').proxy(http)
, express = require('express')
, app = express()
, srv = proxiedHttp.createServer(app); // instead of http.createServer(app)
```javascript
var http = require('http')
, proxiedHttp = require('proxywrap').proxy(http)
, express = require('express')
, app = express()
, srv = proxiedHttp.createServer(app); // instead of http.createServer(app)

app.get('/', function(req, res) {
res.send('IP = ' + req.connection.remoteAddress + ':' + req.connection.remotePort);
});
app.get('/', function(req, res) {
res.send('FROM IP = ' + req.connection.sourceAddress + ':' + req.connection.sourcePort);
res.send(' TO IP = ' + req.connection.destinationAddress + ':' + req.connection.destinationPort);
});

srv.listen(80);
srv.listen(80);
```

The magic happens in the `proxywrap.proxy()` call. It wraps the module's `Server` constructor and handles a bunch of messy details for you.
The magic happens in the `proxywrap.proxy()` call. It wraps the
module's `Server` constructor and handles a bunch of messy details for
you.

You can do the same with `net` (raw TCP streams), `https`, and `spdy`. It will probably work with other modules that follow the same pattern, but none have been tested.
You can do the same with `net` (raw TCP streams), `https`, and `spdy`.
It will probably work with other modules that follow the same pattern,
but none have been tested.

*Note*: If you're wrapping [node-spdy](https://github.com/indutny/node-spdy), its exports are a little strange:
*Note*:
If you're wrapping [node-spdy](https://github.com/indutny/node-spdy),
its exports are a little strange:

var proxiedSpdy = require('proxywrap').proxy(require('spdy').server);

**Warning:** *All* traffic to your proxied server MUST use the PROXY protocol. If the first five bytes received aren't `PROXY`, the connection will be dropped. Obviously, the node server accepting PROXY connections should not be exposed directly to the internet; only the proxy (whether ELB, HAProxy, or something else) should be able to connect to node.
**Warning:** *All* traffic to your proxied server MUST use the PROXY
protocol. If the first five bytes received aren't `PROXY`, the
connection will be dropped. Obviously, the node server accepting
PROXY connections should not be exposed directly to the internet; only
the proxy (whether ELB, HAProxy, or something else) should be able to
connect to node.
31 changes: 24 additions & 7 deletions proxywrap.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ var util = require('util');
//var legacy = !require('stream').Duplex; // TODO: Support <= 0.8 streams interface

// Wraps the given module (ie, http, https, net, tls, etc) interface so that
// `socket.remoteAddress` and `remotePort` work correctly when used with the
// `socket.sourceAddress` and `sourcePort` work correctly when used with the
// PROXY protocol (http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt)
exports.proxy = function(iface) {
var exports = {};
Expand Down Expand Up @@ -66,7 +66,7 @@ exports.proxy = function(iface) {

exports.createServer = function(opts, requestListener) {
return new ProxiedServer(opts, requestListener);
}
};

exports.Server = ProxiedServer;

Expand All @@ -88,7 +88,7 @@ exports.proxy = function(iface) {
} else*/ if (event == 'readable') {
onReadable();
}
}
};

function restore() {
//if (legacy) socket.removeListener('data', ondata);
Expand All @@ -106,7 +106,7 @@ exports.proxy = function(iface) {
var header = '', buf = new Buffer(0);
function onReadable() {
var chunk;
while (null != (chunk = socket.read())) {
while (null !== (chunk = socket.read())) {
buf = Buffer.concat([buf, chunk]);
header += chunk.toString('ascii');

Expand All @@ -121,21 +121,38 @@ exports.proxy = function(iface) {
var hlen = header.length;
header = header.split(' ');

Object.defineProperty(socket, 'remoteAddress', {
Object.defineProperty(socket, 'sourceAddress', {
enumerable: false,
configurable: true,
get: function() {
return header[2];
}
});
Object.defineProperty(socket, 'remotePort', {

Object.defineProperty(socket, 'destinationAddress', {
enumerable: false,
configurable: true,
get: function() {
return header[3];
}
});

Object.defineProperty(socket, 'sourcePort', {
enumerable: false,
configurable: true,
get: function() {
return parseInt(header[4], 10);
}
});

Object.defineProperty(socket, 'destinationPort', {
enumerable: false,
configurable: true,
get: function() {
return parseInt(header[5], 10);
}
});

// unshifting will fire the readable event
socket.emit = realEmit;
socket.unshift(buf.slice(crlf+2));
Expand All @@ -160,4 +177,4 @@ exports.proxy = function(iface) {
}

return exports;
}
};