fix(proxy): restrict PROXY protocol parsing to configured trusted proxy IPs and parse PROXY headers before metrics/fast-path so client IPs reflect the real source
This commit is contained in:
@@ -1,5 +1,14 @@
|
||||
# Changelog
|
||||
|
||||
## 2026-02-19 - 25.7.7 - fix(proxy)
|
||||
restrict PROXY protocol parsing to configured trusted proxy IPs and parse PROXY headers before metrics/fast-path so client IPs reflect the real source
|
||||
|
||||
- Add proxy_ips: Vec<std::net::IpAddr> to ConnectionConfig with a default empty Vec
|
||||
- Populate proxy_ips from options.proxy_ips strings in rust/crates/rustproxy/src/lib.rs, parsing each to IpAddr
|
||||
- Only peek for and parse PROXY v1 headers when the remote IP is contained in proxy_ips (prevents untrusted clients from injecting PROXY headers)
|
||||
- Move PROXY protocol parsing earlier so metrics and fast-path logic use the effective (real client) IP after PROXY parsing
|
||||
- If proxy_ips is empty, behavior remains unchanged (no PROXY parsing)
|
||||
|
||||
## 2026-02-19 - 25.7.6 - fix(throughput)
|
||||
add tests for per-IP connection tracking and throughput history; assert per-IP eviction after connection close to prevent memory leak
|
||||
|
||||
|
||||
Reference in New Issue
Block a user