mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix golangci-lint v2 compliance, make all passes clean

Browse Source 
- Fix 314 errcheck violations (blank identifier for unrecoverable errors)
- Fix errorlint violation (errors.Is for io.EOF)
- Remove unused serveL7Route test helper
- Simplify Duration.Seconds() selectors in tests
- Remove unnecessary fmt.Sprintf in test
- Migrate exclusion rules from issues.exclusions to linters.exclusions (v2 schema)
- Add gosec test exclusions (G115, G304, G402, G705)
- Disable fieldalignment govet analyzer (optimization, not correctness)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-27 13:30:43 -07:00
parent 4f3249fdc3
commit a60e5cb86a
28 changed files with 343 additions and 354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

265
internal/server/server_test.go
View File

@@ -43,8 +43,8 @@ func echoServer(t *testing.T, ln net.Listener) {
if err != nil {
return
}
defer conn.Close()
io.Copy(conn, conn)
defer func() { _ = conn.Close() }()
_, _ = io.Copy(conn, conn)
}
// newTestServer creates a Server with the given listener data and no firewall rules.
@@ -92,7 +92,7 @@ func TestProxyRoundTrip(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
go echoServer(t, backendLn)
// Pick a free port for the proxy listener.
@@ -101,7 +101,7 @@ func TestProxyRoundTrip(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -121,7 +121,7 @@ func TestProxyRoundTrip(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("echo.test")
if _, err := conn.Write(hello); err != nil {
@@ -130,7 +130,7 @@ func TestProxyRoundTrip(t *testing.T) {
// The backend will echo our ClientHello back. Read it.
echoed := make([]byte, len(hello))
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
if _, err := io.ReadFull(conn, echoed); err != nil {
t.Fatalf("read echoed data: %v", err)
}
@@ -157,7 +157,7 @@ func TestNoRouteResets(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -176,7 +176,7 @@ func TestNoRouteResets(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("unknown.test")
if _, err := conn.Write(hello); err != nil {
@@ -184,7 +184,7 @@ func TestNoRouteResets(t *testing.T) {
}
// The proxy should close the connection (no route match).
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed, but read succeeded")
@@ -197,7 +197,7 @@ func TestFirewallBlocks(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
reached := make(chan struct{}, 1)
go func() {
@@ -205,7 +205,7 @@ func TestFirewallBlocks(t *testing.T) {
if err != nil {
return
}
conn.Close()
_ = conn.Close()
reached <- struct{}{}
}()
@@ -214,7 +214,7 @@ func TestFirewallBlocks(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
// Create a firewall that blocks 127.0.0.1 (the test client).
fw, err := firewall.New("", []string{"127.0.0.1"}, nil, nil, 0, 0)
@@ -245,7 +245,7 @@ func TestFirewallBlocks(t *testing.T) {
wg.Add(1)
go func() {
defer wg.Done()
srv.Run(ctx)
_ = srv.Run(ctx)
}()
time.Sleep(50 * time.Millisecond)
@@ -253,13 +253,13 @@ func TestFirewallBlocks(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("echo.test")
conn.Write(hello)
_, _ = conn.Write(hello)
// Connection should be closed (blocked by firewall).
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed by firewall")
@@ -283,7 +283,7 @@ func TestNotTLSResets(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -300,12 +300,12 @@ func TestNotTLSResets(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Send HTTP, not TLS.
conn.Write([]byte("GET / HTTP/1.1\r\nHost: x.test\r\n\r\n"))
_, _ = conn.Write([]byte("GET / HTTP/1.1\r\nHost: x.test\r\n\r\n"))
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed for non-TLS data")
@@ -318,7 +318,7 @@ func TestConnectionTracking(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
var backendConns []net.Conn
var mu sync.Mutex
@@ -332,7 +332,7 @@ func TestConnectionTracking(t *testing.T) {
backendConns = append(backendConns, conn)
mu.Unlock()
// Hold connection open, drain input.
go io.Copy(io.Discard, conn)
go func() { _, _ = io.Copy(io.Discard, conn) }()
}
}()
@@ -341,7 +341,7 @@ func TestConnectionTracking(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -382,10 +382,10 @@ func TestConnectionTracking(t *testing.T) {
}
// Close one client and its corresponding backend connection.
clientConns[0].Close()
_ = clientConns[0].Close()
mu.Lock()
if len(backendConns) > 0 {
backendConns[0].Close()
_ = backendConns[0].Close()
}
mu.Unlock()
@@ -402,10 +402,10 @@ func TestConnectionTracking(t *testing.T) {
}
// Clean up.
clientConns[1].Close()
_ = clientConns[1].Close()
mu.Lock()
for _, c := range backendConns {
c.Close()
_ = c.Close()
}
mu.Unlock()
}
@@ -416,13 +416,13 @@ func TestMultipleListeners(t *testing.T) {
if err != nil {
t.Fatalf("backend A listen: %v", err)
}
defer backendA.Close()
defer func() { _ = backendA.Close() }()
backendB, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
t.Fatalf("backend B listen: %v", err)
}
defer backendB.Close()
defer func() { _ = backendB.Close() }()
// Each backend writes its identity and closes.
serve := func(ln net.Listener, id string) {
@@ -430,10 +430,10 @@ func TestMultipleListeners(t *testing.T) {
if err != nil {
return
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Drain the incoming data, then write identity.
go io.Copy(io.Discard, conn)
conn.Write([]byte(id))
go func() { _, _ = io.Copy(io.Discard, conn) }()
_, _ = conn.Write([]byte(id))
}
go serve(backendA, "A")
go serve(backendB, "B")
@@ -444,14 +444,14 @@ func TestMultipleListeners(t *testing.T) {
t.Fatalf("finding free port 1: %v", err)
}
addr1 := ln1.Addr().String()
ln1.Close()
_ = ln1.Close()
ln2, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
t.Fatalf("finding free port 2: %v", err)
}
addr2 := ln2.Addr().String()
ln2.Close()
_ = ln2.Close()
srv := newTestServer(t, []ListenerData{
{ID: 1, Addr: addr1, Routes: map[string]RouteInfo{"svc.test": l4Route(backendA.Addr().String())}},
@@ -467,12 +467,12 @@ func TestMultipleListeners(t *testing.T) {
if err != nil {
t.Fatalf("dial %s: %v", proxyAddr, err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("svc.test")
conn.Write(hello)
_, _ = conn.Write(hello)
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
buf := make([]byte, 128)
// Read what the backend sends back: echoed ClientHello + ID.
// The backend drains input and writes the ID, so we read until we
@@ -508,7 +508,7 @@ func TestCaseInsensitiveRouting(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
go echoServer(t, backendLn)
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
@@ -516,7 +516,7 @@ func TestCaseInsensitiveRouting(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -537,7 +537,7 @@ func TestCaseInsensitiveRouting(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("ECHO.TEST")
if _, err := conn.Write(hello); err != nil {
@@ -545,7 +545,7 @@ func TestCaseInsensitiveRouting(t *testing.T) {
}
echoed := make([]byte, len(hello))
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
if _, err := io.ReadFull(conn, echoed); err != nil {
t.Fatalf("read echoed data: %v", err)
}
@@ -558,14 +558,14 @@ func TestBackendUnreachable(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
deadAddr := ln.Addr().String()
ln.Close()
_ = ln.Close()
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -584,13 +584,13 @@ func TestBackendUnreachable(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("dead.test")
conn.Write(hello)
_, _ = conn.Write(hello)
// Proxy should close the connection after failing to dial backend.
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed when backend is unreachable")
@@ -603,15 +603,15 @@ func TestGracefulShutdown(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
go func() {
conn, err := backendLn.Accept()
if err != nil {
return
}
defer conn.Close()
io.Copy(io.Discard, conn)
defer func() { _ = conn.Close() }()
_, _ = io.Copy(io.Discard, conn)
}()
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
@@ -619,7 +619,7 @@ func TestGracefulShutdown(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
fw, err := firewall.New("", nil, nil, nil, 0, 0)
if err != nil {
@@ -649,10 +649,10 @@ func TestGracefulShutdown(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("hold.test")
conn.Write(hello)
_, _ = conn.Write(hello)
time.Sleep(50 * time.Millisecond)
// Trigger shutdown.
@@ -719,7 +719,7 @@ func TestProxyProtocolReceive(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
go echoServer(t, backendLn)
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
@@ -727,7 +727,7 @@ func TestProxyProtocolReceive(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -747,22 +747,22 @@ func TestProxyProtocolReceive(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Send PROXY v2 header followed by TLS ClientHello.
var ppBuf bytes.Buffer
proxyproto.WriteV2(&ppBuf,
_ = proxyproto.WriteV2(&ppBuf,
netip.MustParseAddrPort("203.0.113.50:12345"),
netip.MustParseAddrPort("198.51.100.1:443"),
)
conn.Write(ppBuf.Bytes())
_, _ = conn.Write(ppBuf.Bytes())
hello := buildClientHello("echo.test")
conn.Write(hello)
_, _ = conn.Write(hello)
// Backend should echo the ClientHello back (not the PROXY header).
echoed := make([]byte, len(hello))
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
if _, err := io.ReadFull(conn, echoed); err != nil {
t.Fatalf("read echoed data: %v", err)
}
@@ -774,7 +774,7 @@ func TestProxyProtocolReceiveGarbage(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -794,13 +794,13 @@ func TestProxyProtocolReceiveGarbage(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Send garbage instead of a valid PROXY header.
conn.Write([]byte("NOT A PROXY HEADER\r\n"))
_, _ = conn.Write([]byte("NOT A PROXY HEADER\r\n"))
// Connection should be closed.
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed for invalid PROXY header")
@@ -813,7 +813,7 @@ func TestProxyProtocolSend(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
received := make(chan []byte, 1)
go func() {
@@ -821,9 +821,9 @@ func TestProxyProtocolSend(t *testing.T) {
if err != nil {
return
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Read all available data; the proxy sends PROXY header + ClientHello.
conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
var all []byte
buf := make([]byte, 4096)
for {
@@ -845,7 +845,7 @@ func TestProxyProtocolSend(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -868,10 +868,10 @@ func TestProxyProtocolSend(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("pp.test")
conn.Write(hello)
_, _ = conn.Write(hello)
// The backend should receive: PROXY v2 header + ClientHello.
select {
@@ -904,7 +904,7 @@ func TestProxyProtocolNotSent(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
received := make(chan []byte, 1)
go func() {
@@ -912,7 +912,7 @@ func TestProxyProtocolNotSent(t *testing.T) {
if err != nil {
return
}
defer conn.Close()
defer func() { _ = conn.Close() }()
buf := make([]byte, 4096)
n, _ := conn.Read(buf)
received <- buf[:n]
@@ -923,7 +923,7 @@ func TestProxyProtocolNotSent(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -942,10 +942,10 @@ func TestProxyProtocolNotSent(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
hello := buildClientHello("nopp.test")
conn.Write(hello)
_, _ = conn.Write(hello)
select {
case data := <-received:
@@ -964,7 +964,7 @@ func TestProxyProtocolFirewallUsesRealIP(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
reached := make(chan struct{}, 1)
go func() {
@@ -972,7 +972,7 @@ func TestProxyProtocolFirewallUsesRealIP(t *testing.T) {
if err != nil {
return
}
conn.Close()
_ = conn.Close()
reached <- struct{}{}
}()
@@ -981,7 +981,7 @@ func TestProxyProtocolFirewallUsesRealIP(t *testing.T) {
t.Fatalf("finding free port: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
// Block 203.0.113.50 (the "real" client IP from PROXY header).
// 127.0.0.1 (the actual TCP peer) is NOT blocked.
@@ -1014,7 +1014,7 @@ func TestProxyProtocolFirewallUsesRealIP(t *testing.T) {
wg.Add(1)
go func() {
defer wg.Done()
srv.Run(ctx)
_ = srv.Run(ctx)
}()
time.Sleep(50 * time.Millisecond)
@@ -1022,19 +1022,19 @@ func TestProxyProtocolFirewallUsesRealIP(t *testing.T) {
if err != nil {
t.Fatalf("dial proxy: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
// Send PROXY v2 with the blocked real IP.
var ppBuf bytes.Buffer
proxyproto.WriteV2(&ppBuf,
_ = proxyproto.WriteV2(&ppBuf,
netip.MustParseAddrPort("203.0.113.50:12345"),
netip.MustParseAddrPort("198.51.100.1:443"),
)
conn.Write(ppBuf.Bytes())
conn.Write(buildClientHello("blocked.test"))
_, _ = conn.Write(ppBuf.Bytes())
_, _ = conn.Write(buildClientHello("blocked.test"))
// Connection should be closed (firewall blocks real IP).
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed by firewall")
@@ -1060,7 +1060,7 @@ func TestConnectionLimitEnforced(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
go func() {
for {
@@ -1068,7 +1068,7 @@ func TestConnectionLimitEnforced(t *testing.T) {
if err != nil {
return
}
go io.Copy(io.Discard, conn)
go func() { _, _ = io.Copy(io.Discard, conn) }()
}
}()
@@ -1077,7 +1077,7 @@ func TestConnectionLimitEnforced(t *testing.T) {
t.Fatalf("proxy listen: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -1100,7 +1100,7 @@ func TestConnectionLimitEnforced(t *testing.T) {
if err != nil {
t.Fatalf("dial %d: %v", i, err)
}
conn.Write(buildClientHello("limit.test"))
_, _ = conn.Write(buildClientHello("limit.test"))
conns = append(conns, conn)
}
time.Sleep(100 * time.Millisecond)
@@ -1110,16 +1110,16 @@ func TestConnectionLimitEnforced(t *testing.T) {
if err != nil {
t.Fatalf("dial 3: %v", err)
}
conn3.Write(buildClientHello("limit.test"))
conn3.SetReadDeadline(time.Now().Add(2 * time.Second))
_, _ = conn3.Write(buildClientHello("limit.test"))
_ = conn3.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn3.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected 3rd connection to be closed due to limit")
}
conn3.Close()
_ = conn3.Close()
// Close one existing connection.
conns[0].Close()
_ = conns[0].Close()
time.Sleep(200 * time.Millisecond)
// Now a new connection should succeed.
@@ -1127,8 +1127,8 @@ func TestConnectionLimitEnforced(t *testing.T) {
if err != nil {
t.Fatalf("dial 4: %v", err)
}
defer conn4.Close()
conn4.Write(buildClientHello("limit.test"))
defer func() { _ = conn4.Close() }()
_, _ = conn4.Write(buildClientHello("limit.test"))
// Give it time to be proxied.
time.Sleep(100 * time.Millisecond)
@@ -1138,7 +1138,7 @@ func TestConnectionLimitEnforced(t *testing.T) {
// Clean up.
for _, c := range conns[1:] {
c.Close()
_ = c.Close()
}
}
@@ -1155,7 +1155,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
// h2c backend on origin that echoes the X-Forwarded-For.
backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "xff=%s", r.Header.Get("X-Forwarded-For"))
_, _ = fmt.Fprintf(w, "xff=%s", r.Header.Get("X-Forwarded-For"))
}))
// Origin proxy: proxy_protocol=true listener, L7 route to backend.
@@ -1164,7 +1164,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
t.Fatalf("origin listen: %v", err)
}
originAddr := originLn.Addr().String()
originLn.Close()
_ = originLn.Close()
originFw, _ := firewall.New("", nil, nil, nil, 0, 0)
originCfg := &config.Config{
@@ -1196,7 +1196,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
originWg.Add(1)
go func() {
defer originWg.Done()
originSrv.Run(originCtx)
_ = originSrv.Run(originCtx)
}()
time.Sleep(50 * time.Millisecond)
defer func() {
@@ -1210,7 +1210,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
t.Fatalf("edge listen: %v", err)
}
edgeAddr := edgeLn.Addr().String()
edgeLn.Close()
_ = edgeLn.Close()
edgeFw, _ := firewall.New("", nil, nil, nil, 0, 0)
edgeSrv := New(originCfg, edgeFw, []ListenerData{
@@ -1232,7 +1232,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
edgeWg.Add(1)
go func() {
defer edgeWg.Done()
edgeSrv.Run(edgeCtx)
_ = edgeSrv.Run(edgeCtx)
}()
time.Sleep(50 * time.Millisecond)
defer func() {
@@ -1253,7 +1253,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
if err != nil {
t.Fatalf("TLS dial edge: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
tr := &http2.Transport{}
h2conn, err := tr.NewClientConn(conn)
@@ -1266,7 +1266,7 @@ func TestMultiHopProxyProtocol(t *testing.T) {
if err != nil {
t.Fatalf("RoundTrip: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
body, _ := io.ReadAll(resp.Body)
if resp.StatusCode != 200 {
@@ -1289,7 +1289,7 @@ func TestMultiHopFirewallBlocksRealIP(t *testing.T) {
if err != nil {
t.Fatalf("backend listen: %v", err)
}
defer backendLn.Close()
defer func() { _ = backendLn.Close() }()
reached := make(chan struct{}, 1)
go func() {
@@ -1297,7 +1297,7 @@ func TestMultiHopFirewallBlocksRealIP(t *testing.T) {
if err != nil {
return
}
conn.Close()
_ = conn.Close()
reached <- struct{}{}
}()
@@ -1306,7 +1306,7 @@ func TestMultiHopFirewallBlocksRealIP(t *testing.T) {
t.Fatalf("origin listen: %v", err)
}
originAddr := originLn.Addr().String()
originLn.Close()
_ = originLn.Close()
// Block 198.51.100.99 — this is the "real client IP" we'll put in the PROXY header.
originFw, _ := firewall.New("", []string{"198.51.100.99"}, nil, nil, 0, 0)
@@ -1334,7 +1334,7 @@ func TestMultiHopFirewallBlocksRealIP(t *testing.T) {
wg.Add(1)
go func() {
defer wg.Done()
originSrv.Run(ctx)
_ = originSrv.Run(ctx)
}()
time.Sleep(50 * time.Millisecond)
@@ -1343,18 +1343,18 @@ func TestMultiHopFirewallBlocksRealIP(t *testing.T) {
if err != nil {
t.Fatalf("dial origin: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
var ppBuf bytes.Buffer
proxyproto.WriteV2(&ppBuf,
_ = proxyproto.WriteV2(&ppBuf,
netip.MustParseAddrPort("198.51.100.99:12345"),
netip.MustParseAddrPort("10.0.0.1:443"),
)
conn.Write(ppBuf.Bytes())
conn.Write(buildClientHello("blocked.test"))
_, _ = conn.Write(ppBuf.Bytes())
_, _ = conn.Write(buildClientHello("blocked.test"))
// Connection should be dropped by firewall.
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, err = conn.Read(make([]byte, 1))
if err == nil {
t.Fatal("expected connection to be closed")
@@ -1396,12 +1396,12 @@ func testCert(t *testing.T, hostname string) (certPath, keyPath string) {
certPath = filepath.Join(dir, "cert.pem")
keyPath = filepath.Join(dir, "key.pem")
cf, _ := os.Create(certPath)
pem.Encode(cf, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
cf.Close()
_ = pem.Encode(cf, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
_ = cf.Close()
keyDER, _ := x509.MarshalECPrivateKey(key)
kf, _ := os.Create(keyPath)
pem.Encode(kf, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
kf.Close()
_ = pem.Encode(kf, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
_ = kf.Close()
return
}
@@ -1417,8 +1417,8 @@ func startH2CBackend(t *testing.T, handler http.Handler) string {
if err != nil {
t.Fatalf("listen: %v", err)
}
t.Cleanup(func() { srv.Close(); ln.Close() })
go srv.Serve(ln)
t.Cleanup(func() { _ = srv.Close(); _ = ln.Close() })
go func() { _ = srv.Serve(ln) }()
return ln.Addr().String()
}
@@ -1426,7 +1426,7 @@ func TestL7ThroughServer(t *testing.T) {
certPath, keyPath := testCert(t, "l7srv.test")
backendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "ok path=%s xff=%s", r.URL.Path, r.Header.Get("X-Forwarded-For"))
_, _ = fmt.Fprintf(w, "ok path=%s xff=%s", r.URL.Path, r.Header.Get("X-Forwarded-For"))
}))
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
@@ -1434,7 +1434,7 @@ func TestL7ThroughServer(t *testing.T) {
t.Fatalf("proxy listen: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -1467,7 +1467,7 @@ func TestL7ThroughServer(t *testing.T) {
if err != nil {
t.Fatalf("TLS dial: %v", err)
}
defer conn.Close()
defer func() { _ = conn.Close() }()
tr := &http2.Transport{}
h2conn, err := tr.NewClientConn(conn)
@@ -1480,7 +1480,7 @@ func TestL7ThroughServer(t *testing.T) {
if err != nil {
t.Fatalf("RoundTrip: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
body, _ := io.ReadAll(resp.Body)
// The X-Forwarded-For should be the TCP source IP (127.0.0.1) since
@@ -1502,12 +1502,12 @@ func TestMixedL4L7SameListener(t *testing.T) {
if err != nil {
t.Fatalf("l4 backend listen: %v", err)
}
defer l4BackendLn.Close()
defer func() { _ = l4BackendLn.Close() }()
go echoServer(t, l4BackendLn)
// L7 backend: h2c HTTP server.
l7BackendAddr := startH2CBackend(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, "l7-response")
_, _ = fmt.Fprint(w, "l7-response")
}))
proxyLn, err := net.Listen("tcp", "127.0.0.1:0")
@@ -1515,7 +1515,7 @@ func TestMixedL4L7SameListener(t *testing.T) {
t.Fatalf("proxy listen: %v", err)
}
proxyAddr := proxyLn.Addr().String()
proxyLn.Close()
_ = proxyLn.Close()
srv := newTestServer(t, []ListenerData{
{
@@ -1541,11 +1541,11 @@ func TestMixedL4L7SameListener(t *testing.T) {
if err != nil {
t.Fatalf("dial L4: %v", err)
}
defer l4Conn.Close()
defer func() { _ = l4Conn.Close() }()
hello := buildClientHello("l4echo.test")
l4Conn.Write(hello)
_, _ = l4Conn.Write(hello)
echoed := make([]byte, len(hello))
l4Conn.SetReadDeadline(time.Now().Add(5 * time.Second))
_ = l4Conn.SetReadDeadline(time.Now().Add(5 * time.Second))
if _, err := io.ReadFull(l4Conn, echoed); err != nil {
t.Fatalf("L4 echo read: %v", err)
}
@@ -1563,7 +1563,7 @@ func TestMixedL4L7SameListener(t *testing.T) {
if err != nil {
t.Fatalf("TLS dial L7: %v", err)
}
defer l7Conn.Close()
defer func() { _ = l7Conn.Close() }()
tr := &http2.Transport{}
h2conn, err := tr.NewClientConn(l7Conn)
@@ -1576,7 +1576,7 @@ func TestMixedL4L7SameListener(t *testing.T) {
if err != nil {
t.Fatalf("L7 RoundTrip: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
body, _ := io.ReadAll(resp.Body)
if string(body) != "l7-response" {
@@ -1593,11 +1593,11 @@ func buildClientHello(serverName string) []byte {
func buildClientHelloWithExtensions(extensions []byte) []byte {
var hello []byte
hello = append(hello, 0x03, 0x03) // TLS 1.2
hello = append(hello, make([]byte, 32)...) // random
hello = append(hello, 0x00) // session ID: empty
hello = append(hello, 0x03, 0x03) // TLS 1.2
hello = append(hello, make([]byte, 32)...) // random
hello = append(hello, 0x00) // session ID: empty
hello = append(hello, 0x00, 0x02, 0x00, 0x9C) // cipher suites
hello = append(hello, 0x01, 0x00) // compression methods
hello = append(hello, 0x01, 0x00) // compression methods
if len(extensions) > 0 {
hello = binary.BigEndian.AppendUint16(hello, uint16(len(extensions)))
@@ -1636,4 +1636,3 @@ func sniExtension(serverName string) []byte {
return ext
}