Skip to content

Add pre-TLS processing hook for PROXY protocol support and expose methods for HTTP2 shutdown#799

Open
jaw-sh wants to merge 5 commits intocloudflare:mainfrom
jaw-sh:proxy-protocol-before-tls
Open

Add pre-TLS processing hook for PROXY protocol support and expose methods for HTTP2 shutdown#799
jaw-sh wants to merge 5 commits intocloudflare:mainfrom
jaw-sh:proxy-protocol-before-tls

Conversation

@jaw-sh
Copy link
Copy Markdown

@jaw-sh jaw-sh commented Jan 22, 2026
edited
Loading

This adds a PreTlsProcess trait and callback mechanism that allows applications to read and process bytes from the raw TCP stream before the TLS handshake begins. Provides a way to self-implement #132 .

This also exposes HTTP2 session terminators. Closes #775.

The HAProxy PROXY protocol spec requires that the header be parsed from the raw TCP stream before any application protocol processing, including TLS. Currently there's no way to do this in Pingora - by the time ServerApp::process_new runs, TLS has already completed.
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

This is how nginx and haproxy handle it: TCP accept → parse PROXY header → TLS handshake → HTTP.
https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L307-L362

Changes

  • Add PreTlsProcess trait in pingora-core/src/listeners/mod.rs
  • Thread callback through TransportStackBuilder → TransportStack → UninitializedStream
  • Call callback in UninitializedStream::handshake() before TLS
  • Make Stream::rewind() public so implementations can put back bytes that aren't PROXY protocol

Usage

struct ProxyProtocolHandler;

#[async_trait]
impl PreTlsProcess for ProxyProtocolHandler {
    async fn process(&self, stream: &mut L4Stream) -> Result<()> {
        // Read PROXY header, update socket digest with real client IP
        Ok(())
    }
}

// In setup:
listeners.set_pre_tls_callback(Arc::new(ProxyProtocolHandler));

This code is being used in a beta server deployment with PROXY Protocol v1 and v2 support to handle incoming traffic from other web servers and Tor with success.

jaw-sh added 2 commits January 21, 2026 15:54
@jaw-sh
Add shutdown_with_reason for H2 streams
1bd3c47 
Allow sending RST_STREAM with a custom reason code instead of hardcoded
INTERNAL_ERROR. This enables RFC 7540 §9.1.2 compliant 421 responses where
HTTP_1_1_REQUIRED can signal clients to retry over HTTP/1.1.

Fixes cloudflare#787
@jaw-sh
Merge pull request #1 from jaw-sh/h2-custom-reset-reason
33465f3 
Add shutdown_with_reason for H2 streams
@duke8253 duke8253 added the enhancement New feature or request label Jan 23, 2026
@jaw-sh
Add pre-TLS callback for PROXY protocol support
b3d1960 
Add a PreTlsProcess trait and set_pre_tls_callback() method that allows
applications to process raw bytes before the TLS handshake occurs.

This is useful for protocols like HAProxy's PROXY protocol, which sends
client address information before TLS. The callback reads and consumes
protocol headers, then updates the socket digest with the real client
address.
@jaw-sh
Make Stream::rewind() public for protocol detection
9aa73fb 
PreTlsProcess implementations need to put data back onto the stream
when it doesn't match the expected protocol signature. This lets the
PROXY protocol handler rewind non-PROXY data so TLS proceeds normally.
@jaw-sh jaw-sh force-pushed the proxy-protocol-before-tls branch from 78334c9 to 9aa73fb Compare February 11, 2026 17:06
@varunravi98 varunravi98 mentioned this pull request Mar 12, 2026
Merged
drcaramelsyrup
drcaramelsyrup approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@drcaramelsyrup drcaramelsyrup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a pretty straightforward optional callback hook to me, will report back if internal review reports any other suggested changes.

drcaramelsyrup
drcaramelsyrup reviewed Apr 3, 2026
View reviewed changes
pingora-core/src/listeners/mod.rs Outdated
self.l4.set_buffer();

// Process pre-TLS data if a callback is configured (e.g., PROXY protocol)
if let Some(ref callback) = self.pre_tls_callback {
Copy link
Copy Markdown
Collaborator

@drcaramelsyrup drcaramelsyrup Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaw-sh The name of the callback suggests that we might only want to do this if we will actually perform the tls_handshake a few lines below.

If the callback is only invoked when we actually intend on performing a TLS handshake, would that still work with your use case?

Copy link
Copy Markdown
Author

@jaw-sh jaw-sh Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, for my purposes. In insecure HTTP, it is possible to intercept the origin's remote IP through standard header parsing such as Cloudflare's cf-connecting-ip.

Copy link
Copy Markdown
Collaborator

@drcaramelsyrup drcaramelsyrup Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case I think it makes sense to move this callback inside the if let Some(tls) = self.tls block. "Pre-TLS" to the caller might mean that this is only attempted if we are going to invoke the TLS handshake afterwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drcaramelsyrup drcaramelsyrup drcaramelsyrup approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@drcaramelsyrup drcaramelsyrup

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Provide TlsRef details to HTTP/2 requests

3 participants

@jaw-sh @drcaramelsyrup @duke8253