Skip to content

Add pre-TLS processing hook for PROXY protocol support and expose methods for HTTP2 shutdown#799

Open
jaw-sh wants to merge 4 commits intocloudflare:mainfrom
jaw-sh:proxy-protocol-before-tls
Open

Add pre-TLS processing hook for PROXY protocol support and expose methods for HTTP2 shutdown#799
jaw-sh wants to merge 4 commits intocloudflare:mainfrom
jaw-sh:proxy-protocol-before-tls

Conversation

@jaw-sh
Copy link

@jaw-sh jaw-sh commented Jan 22, 2026
edited
Loading

This adds a PreTlsProcess trait and callback mechanism that allows applications to read and process bytes from the raw TCP stream before the TLS handshake begins. Provides a way to self-implement #132 .

This also exposes HTTP2 session terminators. Closes #775.

The HAProxy PROXY protocol spec requires that the header be parsed from the raw TCP stream before any application protocol processing, including TLS. Currently there's no way to do this in Pingora - by the time ServerApp::process_new runs, TLS has already completed.
https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

This is how nginx and haproxy handle it: TCP accept → parse PROXY header → TLS handshake → HTTP.
https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L307-L362

Changes

  • Add PreTlsProcess trait in pingora-core/src/listeners/mod.rs
  • Thread callback through TransportStackBuilder → TransportStack → UninitializedStream
  • Call callback in UninitializedStream::handshake() before TLS
  • Make Stream::rewind() public so implementations can put back bytes that aren't PROXY protocol

Usage

struct ProxyProtocolHandler;

#[async_trait]
impl PreTlsProcess for ProxyProtocolHandler {
    async fn process(&self, stream: &mut L4Stream) -> Result<()> {
        // Read PROXY header, update socket digest with real client IP
        Ok(())
    }
}

// In setup:
listeners.set_pre_tls_callback(Arc::new(ProxyProtocolHandler));

This code is being used in a beta server deployment with PROXY Protocol v1 and v2 support to handle incoming traffic from other web servers and Tor with success.

jaw-sh added 2 commits January 21, 2026 15:54
@jaw-sh
Add shutdown_with_reason for H2 streams
1bd3c47 
Allow sending RST_STREAM with a custom reason code instead of hardcoded
INTERNAL_ERROR. This enables RFC 7540 §9.1.2 compliant 421 responses where
HTTP_1_1_REQUIRED can signal clients to retry over HTTP/1.1.

Fixes cloudflare#787
@jaw-sh
Merge pull request #1 from jaw-sh/h2-custom-reset-reason
33465f3 
Add shutdown_with_reason for H2 streams
@duke8253 duke8253 added the enhancement New feature or request label Jan 23, 2026
@jaw-sh
Add pre-TLS callback for PROXY protocol support
b3d1960 
Add a PreTlsProcess trait and set_pre_tls_callback() method that allows
applications to process raw bytes before the TLS handshake occurs.

This is useful for protocols like HAProxy's PROXY protocol, which sends
client address information before TLS. The callback reads and consumes
protocol headers, then updates the socket digest with the real client
address.
@jaw-sh
Make Stream::rewind() public for protocol detection
9aa73fb 
PreTlsProcess implementations need to put data back onto the stream
when it doesn't match the expected protocol signature. This lets the
PROXY protocol handler rewind non-PROXY data so TLS proceeds normally.
@jaw-sh jaw-sh force-pushed the proxy-protocol-before-tls branch from 78334c9 to 9aa73fb Compare February 11, 2026 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@drcaramelsyrup drcaramelsyrup

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Provide TlsRef details to HTTP/2 requests

3 participants

@jaw-sh @drcaramelsyrup @duke8253