haproxy v2 module

[ghost]

I wanted to use this with tor which now supports HiddenServiceExportCircuitID protocol but it's for v1, which I assume is why it's not working but I'm not sure.

https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
https://manpages.debian.org/testing/tor/torrc.5.en.html

it will fail with this error tor_dmz_1 | Fri Jan 21 2022 04:54:42 USERS: QuitUser: 50XAAAAAB=50XAAAAAB 'Invalid HAProxy PROXY signature'

which could just mean that tor isn't doing what it says its supposed to do but it's not failing on that option either and that's always been pretty reliable. it is actually trying as is evidenced by the packet dump (refer to next few comments)

not a huge problem for me just a nice to have. also nice if it can just pass through ssl connections since they're just coming from tor anyway.

[ghost]

charybdis-ircd/charybdis#267

[ghost]

looks like tor does attempt to negotiate a handshake

root@sehccrlyfadifehn:~# tcpdump -vvv -n -e -ttt -i br-e93e11adc649 -XX dst port 8667
tcpdump: listening on br-e93e11adc649, link-type EN10MB (Ethernet), capture size 262144 bytes
 00:00:00.000000 02:42:64:40:41:02 > 02:42:64:40:41:03, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 25469, offset 0, flags [DF], proto TCP (6), length 60)
    100.64.65.2.59806 > 100.64.65.3.8667: Flags [S], cksum 0x4ab4 (incorrect -> 0xcae4), seq 731382763, win 42340, options [mss 1460,sackOK,TS val 389298939 ecr 0,nop,wscale 12], length 0
        0x0000:  0242 6440 4103 0242 6440 4102 0800 4500  [email protected]@A...E.
        0x0010:  003c 637d 4000 4006 8cb9 6440 4102 6440  .<c}@[email protected]@A.d@
        0x0020:  4103 e99e 21db 2b98 03eb 0000 0000 a002  A...!.+.........
        0x0030:  a564 4ab4 0000 0204 05b4 0402 080a 1734  .dJ............4
        0x0040:  3afb 0000 0000 0103 030c                 :.........
 00:00:00.000113 02:42:64:40:41:02 > 02:42:64:40:41:03, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 25470, offset 0, flags [DF], proto TCP (6), length 52)
    100.64.65.2.59806 > 100.64.65.3.8667: Flags [.], cksum 0x4aac (incorrect -> 0x1f14), seq 731382764, ack 211935345, win 11, options [nop,nop,TS val 389298939 ecr 1137659657], length 0
        0x0000:  0242 6440 4103 0242 6440 4102 0800 4500  [email protected]@A...E.
        0x0010:  0034 637e 4000 4006 8cc0 6440 4102 6440  .4c~@[email protected]@A.d@
        0x0020:  4103 e99e 21db 2b98 03ec 0ca1 e071 8010  A...!.+......q..
        0x0030:  000b 4aac 0000 0101 080a 1734 3afb 43cf  ..J........4:.C.
        0x0040:  4f09                                     O.
 00:00:00.001099 02:42:64:40:41:02 > 02:42:64:40:41:03, ethertype IPv4 (0x0800), length 212: (tos 0x0, ttl 64, id 25471, offset 0, flags [DF], proto TCP (6), length 198)
    100.64.65.2.59806 > 100.64.65.3.8667: Flags [P.], cksum 0x4b3e (incorrect -> 0x8240), seq 0:146, ack 1, win 11, options [nop,nop,TS val 389298940 ecr 1137659657], length 146
        0x0000:  0242 6440 4103 0242 6440 4102 0800 4500  [email protected]@A...E.
        0x0010:  00c6 637f 4000 4006 8c2d 6440 4102 6440  ..c.@[email protected]@A.d@
        0x0020:  4103 e99e 21db 2b98 03ec 0ca1 e071 8018  A...!.+......q..
        0x0030:  000b 4b3e 0000 0101 080a 1734 3afc 43cf  ..K>.......4:.C.
        0x0040:  4f09 5052 4f58 5920 5443 5036 2066 6330  O.PROXY.TCP6.fc0
        0x0050:  303a 6465 6164 3a62 6565 663a 3464 6164  0:dead:beef:4dad
        0x0060:  3a3a 303a 3461 203a 3a31 2037 3420 3836  ::0:4a.::1.74.86
        0x0070:  3637 0d0a 4341 5020 4c53 0d0a 4e49 434b  67..CAP.LS..NICK
        0x0080:  2073 710d 0a55 5345 5220 7371 2073 7120  .sq..USER.sq.sq.
        0x0090:  786f 346d 6e6f 347a 657a 376d 7767 627a  xo4mno4zez7mwgbz
        0x00a0:  6f32 3762 6263 6b35 6736 6476 727a 7279  o27bbck5g6dvrzry
        0x00b0:  6e64 7162 6633 3479 7764 7875 336c 7034  ndqbf34ywdxu3lp4
        0x00c0:  7762 7174 6367 6964 2e6f 6e69 6f6e 203a  wbqtcgid.onion.:
        0x00d0:  7371 0d0a                                sq..
 00:00:00.000711 02:42:64:40:41:02 > 02:42:64:40:41:03, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 25472, offset 0, flags [DF], proto TCP (6), length 52)
    100.64.65.2.59806 > 100.64.65.3.8667: Flags [F.], cksum 0x4aac (incorrect -> 0x1e7c), seq 146, ack 2, win 11, options [nop,nop,TS val 389298941 ecr 1137659659], length 0
        0x0000:  0242 6440 4103 0242 6440 4102 0800 4500  [email protected]@A...E.
        0x0010:  0034 6380 4000 4006 8cbe 6440 4102 6440  .4c.@[email protected]@A.d@
        0x0020:  4103 e99e 21db 2b98 047e 0ca1 e072 8011  A...!.+..~...r..
        0x0030:  000b 4aac 0000 0101 080a 1734 3afd 43cf  ..J........4:.C.
        0x0040:  4f0b                                     O.

but the server discards it

tor_dmz_1  | Fri Jan 21 2022 06:18:43 SOCKET: Accepting connection on socket 100.64.65.3:8667 fd 14
tor_dmz_1  | Fri Jan 21 2022 06:18:43 USERS: New UUID for user: 50XAAAAAB
tor_dmz_1  | Fri Jan 21 2022 06:18:43 USERS: New user fd: 14
tor_dmz_1  | Fri Jan 21 2022 06:18:43 SOCKET: New file descriptor: 14
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Setting connect class for 50XAAAAAB ([email protected]) ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Checking the All connect class ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: The All connect class is not suitable as neither <connect:allow> nor <connect:deny> are set
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Checking the TorDMZAuthenticated connect class ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: The TorDMZAuthenticated connect class is not suitable as it requires the user to be logged into an account
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Checking the TorDMZSSL connect class ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: The TorDMZSSL connect class is not suitable as the connection port (8667) is not any of 6667 6697
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Checking the TorDMZ connect class ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: The TorDMZ connect class is not suitable as the connection port (8667) is not any of 6667
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: Checking the TorDMZHAProxy connect class ...
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CONNECTCLASS: The TorDMZHAProxy connect class is suitable for 50XAAAAAB ([email protected])
tor_dmz_1  | Fri Jan 21 2022 06:18:43 USEROUTPUT: C[50XAAAAAB] O :ey2kud5n2zmwdx3laipevooqwipdey2onn6uluwk6c6zsck6mykyivad.onion NOTICE * :*** Raw I/O logging is enabled on this server. All messages, passwords, and commands are being recorded.
tor_dmz_1  | Fri Jan 21 2022 06:18:43 SOCKET: Error on FD 14 - 'Invalid HAProxy PROXY signature'
tor_dmz_1  | Fri Jan 21 2022 06:18:43 USERS: QuitUser: 50XAAAAAB=50XAAAAAB 'Invalid HAProxy PROXY signature'
tor_dmz_1  | Fri Jan 21 2022 06:18:43 USEROUTPUT: C[50XAAAAAB] O ERROR :Closing link: ([email protected]) [Invalid HAProxy PROXY signature]
tor_dmz_1  | Fri Jan 21 2022 06:18:43 SOCKET: DoWrite on errored or closed socket
tor_dmz_1  | Fri Jan 21 2022 06:18:43 SOCKET: Remove file descriptor: 14
tor_dmz_1  | Fri Jan 21 2022 06:18:43 CULLLIST: Deleting @0x55e599fff040

something worth noting there is that the server name is different from the hidden service name I'm connecting to (I made a separate one for testing this feature, nothing about the log from inspircd seems to indicate that it should matter but I haven't looked the code over for the inspircd haproxy module yet, https://thc420.xyz/inspircd/commit/09c5439c02f31e9875083e51966dad535af005a9.html

[ghost]

also the connect class is another interesting point about this module with regards to identifying clients. It will connect via ipv4 which is fine, but Tor wants to identify the protocol handshake (also fine) using this ULA fc00:dead:beef:4dad::/64 and essentially it's the same with the cgiirc module and just needs to add an attribute to the connect class for specifying an allowed mask; also allowed "x-forward-for" even though this is PROXY, the same idea should probably be visited for this.

[SadieCat]

InspIRCd only supports the PROXY v2 protocol not the v1 protocol. I can't tell for sure without seeing your config but that error suggests that it is not sending a v2 header.

[ghost]

yeah like I said it's not super important because I just masquerade tor users connecting through a link https://github.com/clandestinenetworks/docker-inspircd/blob/master/config/inspircd/tor_dmz/tor_dmz.conf#L165 and I've found that this the best way the only advantage would be that I can still coalesce connections by circuit id for clone detection but it's not reliable because tor users can pretty easily change to using a new circuit without interrupting existing connections: https://github.com/clandestinenetworks/torctl#creating-a-new-circuit