MarshalTLVs marshals provided slice of TLVs into slice of bytes.

New returns a new instance of multiplexer.

NewConn returns a net.Conn wrapper that supports peeking into the connection.

NewPROXYEnabledListener creates news instance of PROXYEnabledListener.

NewPROXYSigner returns a new instance of PROXYSigner.

NewTestProxy creates a new test proxy that sends a proxy-line when proxying connections to the provided target address.

NewTLSListener returns a new TLS listener.

NewWebListener returns a new web listener.

ReadProxyLine reads proxy line protocol from the reader.

ReadProxyLineV2 reads PROXY protocol v2 line from the reader.

UnmarshalTLVs parses provided bytes slice into slice of TLVs.

JWT used to verify information sent in plain PROXY header.

Certificate used to sign JWT.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html.

https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview.

https://cloud.google.com/vpc/docs/configure-private-service-connect-producer.

No-op used for padding.

Teleport own type for transferring our custom data such as connection metadata.

ProtoHTTP is HTTP protocol.

ProtoPostgres is PostgreSQL wire protocol.

ProtoProxy is a HAProxy proxy line protocol.

ProtoProxyV2 is a HAProxy binary protocol.

ProtoSSH is SSH protocol.

ProtoTLS is TLS protocol.

ProtoUnknown is for unknown protocol.

TCP4 is TCP over IPv4.

TCP6 is tCP over IPv6.

Unknown is unsupported or unknown protocol.

ErrBadCACert is returned when a HostCA cert could not successfully be added to roots for signing certificate verification.

ErrBadIP is returned when there's a problem with client source or destination IP address.

ErrIncorrectRole is returned when signing cert doesn't have required system role (Proxy).

ErrNoHostCA is returned when CAGetter could not get host CA, for example if auth server is not available.

ErrNonLocalCluster is returned when we received signed PROXY header, which signing certificate is from remote cluster.

ErrNoSignature is returned when proxy line doesn't have full required data (JWT and cert) for verification.

ErrTruncatedTLV is returned when there's no enough bytes to read full TLV.

Config is a multiplexer config.

Conn is a connection wrapper that supports communicating remote address from proxy protocol and replays first several bytes read during protocol detection.

Listener is a listener that receives connections from multiplexer based on the connection type.

Mux supports having both SSH and TLS on the same listener socket.

PROXYEnabledListener wraps provided listener and can receive and apply PROXY headers and then pass connection up the chain.

ProxyLine implements PROXY protocol version 1 and 2 Spec: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Original implementation here: https://github.com/racker/go-proxy-protocol TLV: https://github.com/pires/go-proxyproto.

PROXYSigner implements PROXYHeaderSigner to sign PROXY headers.

TestProxy is tcp passthrough proxy that sends a proxy-line when connecting to the target server.

TLSListener wraps tls.Listener and detects negotiated protocol (assuming it's either http/1.1 or http/2) and forwards the appropriate responses to either HTTP/1.1 or HTTP/2 listeners.

TLSListenerConfig specifies listener configuration.

TLV (Type-Length-Value) is an extension mechanism in PROXY protocol v2, see end of section 2.2.

WebListener multiplexes tls connections between web and database listeners based on the client certificate.

WebListenerConfig is the web listener configuration.

JWTPROXYSigner provides ability to created JWT for signed PROXY headers.

PROXYHeaderSigner allows to sign PROXY headers for securely propagating original client IP information.

CertAuthorityGetter allows to get cluster's host CA for verification of signed PROXY headers.

PP2Type is the PROXY protocol v2 TLV type.

Protocol defines detected protocol type.

PROXYProtocolMode controls behavior related to unsigned PROXY protocol headers.