diff options
| author | Nick Thomas <nick@gitlab.com> | 2021-04-09 12:09:29 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2021-04-12 18:09:22 +0100 |
| commit | db4a3558ed7d484c2a45e6f5857e0a1bc36d3810 (patch) | |
| tree | 95fa0ff77fd0c3e5912be204131f962981a2eba5 /cmd | |
| parent | dddd5c2ec16f17ecb8420d84d9a76c75a6c7fd47 (diff) | |
| download | gitlab-shell-db4a3558ed7d484c2a45e6f5857e0a1bc36d3810.tar.gz | |
gitlab-sshd: Support the PROXY protocol
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/gitlab-sshd/acceptance_test.go | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/cmd/gitlab-sshd/acceptance_test.go b/cmd/gitlab-sshd/acceptance_test.go index 1b6931b..949afe8 100644 --- a/cmd/gitlab-sshd/acceptance_test.go +++ b/cmd/gitlab-sshd/acceptance_test.go @@ -8,6 +8,7 @@ import ( "fmt" "io" "io/ioutil" + "net" "net/http" "net/http/httptest" "os" @@ -18,6 +19,7 @@ import ( "testing" "github.com/mikesmitty/edkey" + "github.com/pires/go-proxyproto" "github.com/stretchr/testify/require" "golang.org/x/crypto/ssh" ) @@ -72,6 +74,7 @@ secret: "0123456789abcdef" gitlab_url: "` + gitlabUrl + `" sshd: listen: "127.0.0.1:0" + proxy_protocol: true web_listen: "" host_key_files: - "` + hostKeyPath + `"`) @@ -89,13 +92,37 @@ func buildClient(t *testing.T, addr string, hostKey ed25519.PublicKey) *ssh.Clie clientSigner, err := ssh.NewSignerFromKey(clientPrivKey) require.NoError(t, err) - client, err := ssh.Dial("tcp", addr, &ssh.ClientConfig{ + // Use the proxy protocol to spoof our client address + target, err := net.ResolveTCPAddr("tcp", addr) + require.NoError(t, err) + conn, err := net.DialTCP("tcp", nil, target) + require.NoError(t, err) + t.Cleanup(func() { conn.Close() }) + + // Create a proxyprotocol header or use HeaderProxyFromAddrs() if you + // have two conn's + header := &proxyproto.Header{ + Version: 2, + Command: proxyproto.PROXY, + TransportProtocol: proxyproto.TCPv4, + SourceAddr: &net.TCPAddr{ + IP: net.ParseIP("10.1.1.1"), + Port: 1000, + }, + DestinationAddr: target, + } + // After the connection was created write the proxy headers first + _, err = header.WriteTo(conn) + require.NoError(t, err) + + sshConn, chans, reqs, err := ssh.NewClientConn(conn, addr, &ssh.ClientConfig{ User: "git", Auth: []ssh.AuthMethod{ssh.PublicKeys(clientSigner)}, HostKeyCallback: ssh.FixedHostKey(pubKey), }) require.NoError(t, err) + client := ssh.NewClient(sshConn, chans, reqs) t.Cleanup(func() { client.Close() }) return client |