From ffd0d17b58bc9649421775523b73884a78c2936b Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 2 Jun 2026 16:42:26 -0700 Subject: [PATCH] Add proxy protocl support in blueprints --- server/lib/blueprints/proxyResources.ts | 30 ++++++++++++++++++++++++- server/lib/blueprints/types.ts | 21 ++++++++++++++++- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/server/lib/blueprints/proxyResources.ts b/server/lib/blueprints/proxyResources.ts index d4a2d1909..28bc1c90d 100644 --- a/server/lib/blueprints/proxyResources.ts +++ b/server/lib/blueprints/proxyResources.ts @@ -337,6 +337,15 @@ export async function updateProxyResources( resourceData.maintenance?.message, maintenanceEstimatedTime: resourceData.maintenance?.["estimated-time"], + proxyProtocol: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol"] ?? false) + : false, + proxyProtocolVersion: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol-version"] ?? + 1) + : 1, resourcePolicyId: sharedPolicy.resourcePolicyId }) .where( @@ -504,6 +513,15 @@ export async function updateProxyResources( resourceData.maintenance?.message, maintenanceEstimatedTime: resourceData.maintenance?.["estimated-time"], + proxyProtocol: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol"] ?? false) + : false, + proxyProtocolVersion: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol-version"] ?? + 1) + : 1, resourcePolicyId: null, defaultResourcePolicyId: inlinePolicyId }) @@ -994,6 +1012,14 @@ export async function updateProxyResources( maintenanceMessage: resourceData.maintenance?.message, maintenanceEstimatedTime: resourceData.maintenance?.["estimated-time"], + proxyProtocol: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol"] ?? false) + : false, + proxyProtocolVersion: + resourceData.mode === "tcp" + ? (resourceData["proxy-protocol-version"] ?? 1) + : 1, defaultResourcePolicyId: inlinePolicy.resourcePolicyId, resourcePolicyId: sharedPolicyId, // Only set these resource-level fields when using a shared policy @@ -1231,7 +1257,9 @@ async function syncRoleResources( })) ); role = created; - logger.info(`Auto-created role "${roleName}" in org ${orgId} from blueprint`); + logger.info( + `Auto-created role "${roleName}" in org ${orgId} from blueprint` + ); } if (role.isAdmin) { diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts index fc540a730..454d83aa9 100644 --- a/server/lib/blueprints/types.ts +++ b/server/lib/blueprints/types.ts @@ -201,7 +201,9 @@ export const PublicResourceSchema = z headers: z.array(HeaderSchema).optional(), rules: z.array(RuleSchema).optional(), maintenance: MaintenanceSchema.optional(), - "auth-daemon": AuthDaemonSchema.optional() + "auth-daemon": AuthDaemonSchema.optional(), + "proxy-protocol": z.boolean().optional(), + "proxy-protocol-version": z.int().min(1).optional() }) .refine( (resource) => { @@ -378,6 +380,23 @@ export const PublicResourceSchema = z 'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.' } ) + .refine( + (resource) => { + const effectiveMode = resource.mode ?? resource.protocol; + if (effectiveMode !== "tcp") { + return ( + resource["proxy-protocol"] === undefined && + resource["proxy-protocol-version"] === undefined + ); + } + return true; + }, + { + path: ["proxy-protocol"], + message: + "'proxy-protocol' and 'proxy-protocol-version' can only be set when mode is 'tcp'" + } + ) .transform((resource) => { // Normalize: prefer mode, fall back to protocol for backwards compatibility if (resource.mode === undefined && resource.protocol !== undefined) {