Add additional support for Proxy #5730
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Tried to fix slice proxy protocol header and payload
retry to support all header mode
Based on many implementations of the proxy protocol, some applications send the proxy header as a standalone packet without payload, some applications add the proxy header to the first packet in the stream (which, unlike the first type, contains its own payload), and some applications prepend the proxy header to every packet. All header modes should now properly supported and functioning correctly.
onebeastchris
requested changes
Aug 8, 2025
| ByteBuf content = packet.content(); | ||
| GeyserBedrockPeer peer = (GeyserBedrockPeer) ctx.pipeline().get(BedrockPeer.NAME); | ||
| int detectedVersion = peer != null ? -1 : ProxyProtocolDecoder.findVersion(content); | ||
| ByteBuf content = packet.content().copy(); |
core/src/main/java/org/geysermc/geyser/network/netty/proxy/ProxyServerHandler.java
Outdated
Show resolved
Hide resolved
| final HAProxyMessage decoded; | ||
| try { | ||
| if ((decoded = ProxyProtocolDecoder.decode(content, detectedVersion)) == null) { | ||
| // PROXY header was not present in the packet, ignore. |
| GeyserImpl.getInstance().getGeyserServer().getProxiedAddresses().put(packet.sender(), presentAddress); | ||
| } else { | ||
| log.trace("Reusing PROXY header: (from {}) {}", packet.sender(), presentAddress); | ||
| // --- Subsequent packet processing logic --- | ||
| int detectedVersion = ProxyProtocolDecoder.findVersion(content); |
There was a problem hiding this comment.
Given that this is used in both cases of the if block, this can be moved outside it to reduce code duplication
| GeyserImpl.getInstance().getGeyserServer().getProxiedAddresses().put(packet.sender(), presentAddress); | ||
| } else { | ||
| log.trace("Reusing PROXY header: (from {}) {}", packet.sender(), presentAddress); | ||
| // --- Subsequent packet processing logic --- |
There was a problem hiding this comment.
Suggested change
| // --- Subsequent packet processing logic --- | |
| // Some proxy protocol implementations always send the proxy protocol header, which we should strip after reading it in the first message |
Maybe also link the related issue here; that'd be useful too
| // If a subsequent packet also contains a header, only strip it without using its content | ||
| try { | ||
| if (ProxyProtocolDecoder.decode(content, detectedVersion) == null) { | ||
| content = packet.content(); |
There was a problem hiding this comment.
why is this re-assigning the content variable? This should already just be this value
| } | ||
| } catch (HAProxyProtocolException e) { | ||
| log.debug("{} sent malformed subsequent PROXY header", packet.sender(), e); | ||
| content = packet.content(); |
There was a problem hiding this comment.
why is this re-assigning the content variable? This should already just be this value
Comment on lines
80
to
93
| ctx.fireChannelRead(packet.retain()); | ||
| // --- Unified packet reconstruction and forwarding logic --- | ||
| // Regardless of whether the packet originally contained a header, `content` now represents the pure payload. | ||
| // To ensure consistency in the behavior of downstream handlers, we always create a new packet instance to forward. | ||
| // This avoids any issues that may arise from the difference in object instances between the original packet (retain) and a new packet. | ||
| ByteBuf payloadOnly = content.copy(); | ||
| DatagramPacket newPacket = new DatagramPacket(payloadOnly, packet.recipient(), packet.sender()); | ||
| ctx.fireChannelRead(newPacket); |
There was a problem hiding this comment.
This diff doesn't seem to be of much use? The content is now a second copy of the packets' content, nor does the construction of a new datagram packet seem necessary
…xyServerHandler.java Co-authored-by: chris <github@onechris.mozmail.com>
Improves the logic for detecting, decoding, and stripping PROXY protocol headers from incoming packets. Ensures the buffer's reader index is managed correctly, avoids unnecessary buffer copies, and adds debug logging for malformed or incomplete headers. This change streamlines packet processing and reduces overhead by retaining and forwarding the original packet when possible.
Simplifies and restructures the logic for decoding and validating PROXY protocol v2 headers in UDP packets. Adds explicit whitelisting checks for proxier addresses using CIDR matchers, improves buffer handling by marking and resetting reader indices, and consolidates header decoding into a dedicated method for clarity and maintainability.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.