From f263031fe97e2762c623714e5fd7c623ef7b6ba9 Mon Sep 17 00:00:00 2001
From: Nikolay <nik@victoriametrics.com>
Date: Wed, 31 May 2023 15:37:59 +0200
Subject: [PATCH] app/vmauth: properly handle LOCAL proxy protocol command
 (#4373)

app/vmauth: properly handle LOCAL proxy protocol command

It is required for handling health checks from load balancers

https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3335
---
 docs/CHANGELOG.md            |  1 +
 lib/netutil/proxyprotocol.go | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index ded47e0a0..e0b917f18 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -25,6 +25,7 @@ The following tip changes can be tested by building VictoriaMetrics components f
 ## tip
 
 * BUGFIX: [vmalert](https://docs.victoriametrics.com/vmalert.html): Properly form path to static assets in WEB UI if `http.pathPrefix` set. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4349).
+* BUGFIX: [vmauth](https://docs.victoriametrics.com/vmauth.html): Properly handle LOCAL command for proxy protocol. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3335#issuecomment-1569864108).
 
 ## [v1.91.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.91.0)
 
diff --git a/lib/netutil/proxyprotocol.go b/lib/netutil/proxyprotocol.go
index fd1628a26..e0a95c548 100644
--- a/lib/netutil/proxyprotocol.go
+++ b/lib/netutil/proxyprotocol.go
@@ -71,9 +71,14 @@ func readProxyProto(r io.Reader) (net.Addr, error) {
 	if version != 2 {
 		return nil, fmt.Errorf("unsupported proxy protocol version, only v2 protocol version is supported, got: %d", version)
 	}
-	if proto != 1 {
-		// Only TCP is supported (aka STREAM).
-		return nil, fmt.Errorf("the proxy protocol implementation doesn't support proto %d; expecting 1", proto)
+	// check for supported proto:
+	switch {
+	case proto == 0 && command == 0:
+		// 0 - UNSPEC with LOCAL command 0. Common use case for load balancer health checks.
+	case proto == 1:
+		// 1 - TCP (aka STREAM).
+	default:
+		return nil, fmt.Errorf("the proxy protocol implementation doesn't support proto %d and command: %d; expecting proto 1 or proto 0 with command 0", proto, command)
 	}
 	// The length of the remainder of the header including any TLVs in network byte order
 	// 0, 1, 2