Add support for proxy protocol info for lua plugin (#12651)

* Add support for proxy protocol info for lua plugin

* remove trailing spaces

* fix format error

* fix format error

* Fix tests

Author: shukitchan

doc/admin-guide/plugins/lua.en.rst

@@ -1340,6 +1340,75 @@ Here is an example:
     end
 
 
+:ref:`TOP <admin-plugins-ts-lua>`
+
+ts.client_request.get_pp_info
+-----------------------------------------------
+**syntax:** *value = ts.client_request.get_pp_info(key)*
+
+**context:** do_remap/do_os_response or do_global_* or later
+
+**description**: This function can be used to get PROXY protocol information as a string value.
+
+The *key* parameter should be one of the following constants:
+
+* **TS_LUA_PP_INFO_SRC_ADDR** - Source IP address
+* **TS_LUA_PP_INFO_DST_ADDR** - Destination IP address
+
+You can also pass a TLV type ID (0x00-0xFF) to retrieve custom TLV values from PROXY protocol v2.
+
+Returns the string value if available, or **nil** if the information is not available or PROXY protocol is not in use.
+
+Here is an example:
+
+::
+
+    function do_remap()
+        local pp_version = ts.client_request.get_pp_info_int(TS_LUA_PP_INFO_VERSION)
+        if pp_version then
+            local src_addr = ts.client_request.get_pp_info(TS_LUA_PP_INFO_SRC_ADDR)
+            local dst_addr = ts.client_request.get_pp_info(TS_LUA_PP_INFO_DST_ADDR)
+            ts.debug(string.format('PROXY v%d: %s -> %s', pp_version, src_addr, dst_addr))
+        end
+        return 0
+    end
+
+
+:ref:`TOP <admin-plugins-ts-lua>`
+
+ts.client_request.get_pp_info_int
+-----------------------------------------------
+**syntax:** *value = ts.client_request.get_pp_info_int(key)*
+
+**context:** do_remap/do_os_response or do_global_* or later
+
+**description**: This function can be used to get PROXY protocol information as an integer value.
+
+The *key* parameter should be one of the following constants:
+
+* **TS_LUA_PP_INFO_VERSION** - PROXY protocol version (1 or 2)
+* **TS_LUA_PP_INFO_SRC_PORT** - Source port number
+* **TS_LUA_PP_INFO_DST_PORT** - Destination port number
+* **TS_LUA_PP_INFO_PROTOCOL** - IP protocol family (AF_INET or AF_INET6)
+* **TS_LUA_PP_INFO_SOCK_TYPE** - Socket type (SOCK_STREAM, SOCK_DGRAM, etc.)
+
+Returns the integer value if available, or **nil** if the information is not available or PROXY protocol is not in use.
+
+Here is an example:
+
+::
+
+    function do_remap()
+        local pp_version = ts.client_request.get_pp_info_int(TS_LUA_PP_INFO_VERSION)
+        if pp_version then
+            local src_port = ts.client_request.get_pp_info_int(TS_LUA_PP_INFO_SRC_PORT)
+            local dst_port = ts.client_request.get_pp_info_int(TS_LUA_PP_INFO_DST_PORT)
+            ts.debug(string.format('PROXY v%d ports: %d -> %d', pp_version, src_port, dst_port))
+        end
+        return 0
+    end
+
+
 :ref:`TOP <admin-plugins-ts-lua>`
 
 ts.http.set_cache_url

plugins/lua/ts_lua_client_request.cc

@@ -20,6 +20,22 @@
 #include <arpa/inet.h>
 #include "ts_lua_util.h"
 
+typedef enum {
+  TS_LUA_PP_INFO_VERSION   = TS_PP_INFO_VERSION,
+  TS_LUA_PP_INFO_SRC_ADDR  = TS_PP_INFO_SRC_ADDR,
+  TS_LUA_PP_INFO_SRC_PORT  = TS_PP_INFO_SRC_PORT,
+  TS_LUA_PP_INFO_DST_ADDR  = TS_PP_INFO_DST_ADDR,
+  TS_LUA_PP_INFO_DST_PORT  = TS_PP_INFO_DST_PORT,
+  TS_LUA_PP_INFO_PROTOCOL  = TS_PP_INFO_PROTOCOL,
+  TS_LUA_PP_INFO_SOCK_TYPE = TS_PP_INFO_SOCK_TYPE
+} TSLuaPPInfoKey;
+
+ts_lua_var_item ts_lua_pp_info_key_vars[] = {
+  TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_VERSION),  TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_SRC_ADDR),
+  TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_SRC_PORT), TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_DST_ADDR),
+  TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_DST_PORT), TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_PROTOCOL),
+  TS_LUA_MAKE_VAR_ITEM(TS_LUA_PP_INFO_SOCK_TYPE)};
+
 static void ts_lua_inject_client_request_client_addr_api(lua_State *L);
 static void ts_lua_inject_client_request_server_addr_api(lua_State *L);
 
@@ -78,6 +94,10 @@ static int  ts_lua_client_request_get_ssl_protocol(lua_State *L);
 static void ts_lua_inject_client_request_ssl_curve_api(lua_State *L);
 static int  ts_lua_client_request_get_ssl_curve(lua_State *L);
 
+static void ts_lua_inject_client_request_pp_info_api(lua_State *L);
+static int  ts_lua_client_request_get_pp_info(lua_State *L);
+static int  ts_lua_client_request_get_pp_info_int(lua_State *L);
+
 void
 ts_lua_inject_client_request_api(lua_State *L)
 {
@@ -98,6 +118,7 @@ ts_lua_inject_client_request_api(lua_State *L)
   ts_lua_inject_client_request_ssl_cipher_api(L);
   ts_lua_inject_client_request_ssl_protocol_api(L);
   ts_lua_inject_client_request_ssl_curve_api(L);
+  ts_lua_inject_client_request_pp_info_api(L);
 
   lua_setfield(L, -2, "client_request");
 }
@@ -1148,6 +1169,95 @@ ts_lua_client_request_get_ssl_curve(lua_State *L)
   return 1;
 }
 
+static void
+ts_lua_inject_client_request_pp_info_api(lua_State *L)
+{
+  size_t i;
+
+  for (i = 0; i < sizeof(ts_lua_pp_info_key_vars) / sizeof(ts_lua_var_item); i++) {
+    lua_pushinteger(L, ts_lua_pp_info_key_vars[i].nvar);
+    lua_setglobal(L, ts_lua_pp_info_key_vars[i].svar);
+  }
+
+  lua_pushcfunction(L, ts_lua_client_request_get_pp_info);
+  lua_setfield(L, -2, "get_pp_info");
+
+  lua_pushcfunction(L, ts_lua_client_request_get_pp_info_int);
+  lua_setfield(L, -2, "get_pp_info_int");
+}
+
+static int
+ts_lua_client_request_get_pp_info(lua_State *L)
+{
+  uint16_t         key;
+  const char      *value = nullptr;
+  int              length;
+  ts_lua_http_ctx *http_ctx;
+  TSHttpSsn        ssnp;
+  TSVConn          client_conn;
+
+  GET_HTTP_CONTEXT(http_ctx, L);
+
+  key = static_cast<uint16_t>(luaL_checkinteger(L, 1));
+
+  ssnp        = TSHttpTxnSsnGet(http_ctx->txnp);
+  client_conn = TSHttpSsnClientVConnGet(ssnp);
+
+  if (TSVConnPPInfoGet(client_conn, key, &value, &length) == TS_SUCCESS) {
+    if (key == TS_PP_INFO_SRC_ADDR || key == TS_PP_INFO_DST_ADDR) {
+      // For addresses, convert sockaddr to string
+      char                ip_str[INET6_ADDRSTRLEN];
+      const sockaddr     *addr = reinterpret_cast<const sockaddr *>(value);
+      const sockaddr_in  *addr_in;
+      const sockaddr_in6 *addr_in6;
+
+      if (addr->sa_family == AF_INET) {
+        addr_in = reinterpret_cast<const sockaddr_in *>(addr);
+        inet_ntop(AF_INET, &addr_in->sin_addr, ip_str, sizeof(ip_str));
+      } else if (addr->sa_family == AF_INET6) {
+        addr_in6 = reinterpret_cast<const sockaddr_in6 *>(addr);
+        inet_ntop(AF_INET6, &addr_in6->sin6_addr, ip_str, sizeof(ip_str));
+      } else {
+        lua_pushnil(L);
+        return 1;
+      }
+      lua_pushstring(L, ip_str);
+    } else {
+      // For other types, return as string
+      lua_pushlstring(L, value, length);
+    }
+    return 1;
+  }
+
+  lua_pushnil(L);
+  return 1;
+}
+
+static int
+ts_lua_client_request_get_pp_info_int(lua_State *L)
+{
+  uint16_t         key;
+  TSMgmtInt        value;
+  ts_lua_http_ctx *http_ctx;
+  TSHttpSsn        ssnp;
+  TSVConn          client_conn;
+
+  GET_HTTP_CONTEXT(http_ctx, L);
+
+  key = static_cast<uint16_t>(luaL_checkinteger(L, 1));
+
+  ssnp        = TSHttpTxnSsnGet(http_ctx->txnp);
+  client_conn = TSHttpSsnClientVConnGet(ssnp);
+
+  if (TSVConnPPInfoIntGet(client_conn, key, &value) == TS_SUCCESS) {
+    lua_pushinteger(L, value);
+    return 1;
+  }
+
+  lua_pushnil(L);
+  return 1;
+}
+
 static int
 ts_lua_client_request_client_addr_get_verified_addr(lua_State *L)
 {

tests/gold_tests/pluginTest/lua/gold/lua_proxy_protocol.gold

@@ -0,0 +1 @@
+TEST

tests/gold_tests/pluginTest/lua/lua_proxy_protocol.test.py

@@ -0,0 +1,79 @@
+'''
+Test Lua plugin PROXY protocol support
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import os
+
+Test.Summary = '''
+Test Lua plugin PROXY protocol API
+'''
+
+Test.SkipUnless(Condition.PluginExists('tslua.so'),)
+
+Test.ContinueOnFail = True
+
+# ---- Setup Origin Server ----
+server = Test.MakeOriginServer("server")
+
+request_header = {"headers": "GET / HTTP/1.1\r\nHost: www.example.com\r\n\r\n", "timestamp": "1469733493.993", "body": ""}
+response_header = {
+    "headers": "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Length: 4\r\n\r\n",
+    "timestamp": "1469733493.993",
+    "body": "TEST"
+}
+server.addResponse("sessionfile.log", request_header, response_header)
+
+# ---- Setup ATS ----
+ts = Test.MakeATSProcess("ts", enable_proxy_protocol=True)
+
+ts.Disk.remap_config.AddLine(
+    'map / http://127.0.0.1:{0}/'.format(server.Variables.Port) + ' @plugin=tslua.so @pparam=proxy_protocol.lua')
+
+ts.Setup.Copy("proxy_protocol.lua", ts.Variables.CONFIGDIR)
+
+ts.Disk.records_config.update({'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'ts_lua'})
+
+# ---- Test with PROXY protocol ----
+tr = Test.AddTestRun("Test with PROXY protocol v1")
+tr.Processes.Default.Command = (
+    f"curl --haproxy-protocol --haproxy-clientip 192.168.1.100 "
+    f"http://127.0.0.1:{ts.Variables.proxy_protocol_port}/")
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.StartBefore(server, ready=When.PortOpen(server.Variables.Port))
+tr.Processes.Default.StartBefore(ts)
+tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("TEST", "Response body should be received")
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+
+# Check debug log for PROXY protocol info
+ts.Disk.traffic_out.Content += Testers.ContainsExpression(r"PP-Version: 1", "PROXY protocol version should be logged")
+ts.Disk.traffic_out.Content += Testers.ContainsExpression(
+    r"PP-Source: 192\.168\.1\.100", "PROXY protocol source address should be logged")
+ts.Disk.traffic_out.Content += Testers.ContainsExpression(r"PP-Protocol: 2", "PROXY protocol IP family should be logged")
+ts.Disk.traffic_out.Content += Testers.ContainsExpression(r"PP-SocketType: 1", "PROXY protocol socket type should be logged")
+
+# ---- Test without PROXY protocol ----
+tr2 = Test.AddTestRun("Test without PROXY protocol")
+tr2.Processes.Default.Command = f"curl http://127.0.0.1:{ts.Variables.port}/"
+tr2.Processes.Default.ReturnCode = 0
+tr2.Processes.Default.Streams.stdout = Testers.ContainsExpression("TEST", "Response body should be received")
+tr2.StillRunningAfter = server
+tr2.StillRunningAfter = ts
+
+# Check that PP-Not-Present is logged when PROXY protocol is not used
+ts.Disk.traffic_out.Content += Testers.ContainsExpression(r"PP-Version: 0", "Should log when PROXY protocol is not present")

tests/gold_tests/pluginTest/lua/proxy_protocol.lua

@@ -0,0 +1,62 @@
+--  Licensed to the Apache Software Foundation (ASF) under one
+--  or more contributor license agreements.  See the NOTICE file
+--  distributed with this work for additional information
+--  regarding copyright ownership.  The ASF licenses this file
+--  to you under the Apache License, Version 2.0 (the
+--  "License"); you may not use this file except in compliance
+--  with the License.  You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+--  Unless required by applicable law or agreed to in writing, software
+--  distributed under the License is distributed on an "AS IS" BASIS,
+--  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--  See the License for the specific language governing permissions and
+--  limitations under the License.
+
+function do_remap()
+  local req = ts.client_request
+
+  -- Get PROXY protocol version
+  local pp_version = req.get_pp_info_int(TS_LUA_PP_INFO_VERSION)
+  if pp_version then
+    ts.debug(string.format("PP-Version: %d", pp_version))
+
+    -- Get source address and port
+    local src_addr = req.get_pp_info(TS_LUA_PP_INFO_SRC_ADDR)
+    local src_port = req.get_pp_info_int(TS_LUA_PP_INFO_SRC_PORT)
+
+    -- Get destination address and port
+    local dst_addr = req.get_pp_info(TS_LUA_PP_INFO_DST_ADDR)
+    local dst_port = req.get_pp_info_int(TS_LUA_PP_INFO_DST_PORT)
+
+    -- Get protocol and socket type
+    local protocol = req.get_pp_info_int(TS_LUA_PP_INFO_PROTOCOL)
+    local sock_type = req.get_pp_info_int(TS_LUA_PP_INFO_SOCK_TYPE)
+
+    if src_addr and src_port then
+      ts.debug(string.format("PP-Source: %s:%d", src_addr, src_port))
+    end
+
+    if dst_addr and dst_port then
+      ts.debug(string.format("PP-Destination: %s:%d", dst_addr, dst_port))
+    end
+
+    if protocol then
+      ts.debug(string.format("PP-Protocol: %d", protocol))
+    end
+
+    if sock_type then
+      ts.debug(string.format("PP-SocketType: %d", sock_type))
+    end
+
+    -- Add custom header with PP info
+    if src_addr then
+      ts.client_request.header['X-PP-Client-IP'] = src_addr
+    end
+  else
+    ts.debug("PP-Not-Present")
+  end
+
+  return 0
+end