Augment PROXY protocol v2 with TLS metadata TLVs

[csstaub]

Augment PROXY protocol v2 with TLS metadata TLVs:

• Fix IPv6: detect address family at runtime instead of hardcoding TCPv4
• Add PP2_SUBTYPE_SSL_CLIENT_CERT with full DER-encoded client cert
• Add PP2_TYPE_AUTHORITY (SNI) and PP2_TYPE_ALPN top-level TLVs
• Add unit tests for TLV construction and transport protocol detection
• Extend integration test to parse and validate all new TLVs

[codecov]

Codecov Report

❌ Patch coverage is 90.10989% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.26%. Comparing base (ed2dcfd) to head (37c6b01).
⚠️ Report is 7 commits behind head on master.

Files with missing lines	Patch %	Lines
proxy/proxy.go	87.32%	4 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #705      +/-   ##
==========================================
- Coverage   91.43%   91.26%   -0.18%     
==========================================
  Files          41       41              
  Lines        2195     2278      +83     
==========================================
+ Hits         2007     2079      +72     
- Misses        120      125       +5     
- Partials       68       74       +6     

Flag	Coverage Δ
darwin	90.46% <90.10%> (-0.21%)	⬇️
linux	91.01% <90.10%> (-0.17%)	⬇️
windows	86.72% <90.10%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR extends Ghostunnel’s server-side PROXY protocol v2 support with configurable modes that can include TLS metadata TLVs (ALPN/SNI/SSL info and optional client certificate details), and fixes transport protocol detection to support IPv6 connections.

Changes:

• Introduces ProxyProtocolMode (off/conn/tls/tls-full) and builds PROXY v2 TLVs from tls.ConnectionState.
• Adds --proxy-protocol-mode CLI flag, mutual-exclusion validation with --proxy-protocol, and corresponding unit tests.
• Expands integration tests and documentation around PROXY protocol behavior and TLV contents.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
proxy/proxy.go	Adds PROXY protocol mode enum, runtime transport detection, and TLS TLV construction logic.
proxy/proxy_test.go	Adds unit tests for transport protocol detection and TLV/header construction.
main.go	Adds --proxy-protocol-mode, validation, and wires mode into proxy.New.
main_test.go	Adds tests for server proxy protocol flag/mode interactions and validation.
tests/common.py	Adds parse_tlvs() helper for PROXY v2 TLV parsing in integration tests.
tests/test-server-proxy-protocol.py	Updates integration test to exercise --proxy-protocol-mode=tls-full and validate SSL sub-TLVs.
tests/test-server-proxy-protocol-tls.py	New integration test for --proxy-protocol-mode=tls behavior.
tests/test-server-proxy-protocol-conn.py	New integration test for bare --proxy-protocol (conn-only, no TLVs).
docs/PROXY-PROTOCOL.md	New documentation page describing modes and emitted TLVs.
docs/FLAGS.md	Documents new mode flag and links to PROXY protocol docs.
docs/QUICKSTART.md	Adds PROXY Protocol docs link.
docs/ACCESS-FLAGS.md	Mentions forwarding client identity via tls-full mode.
README.md	Updates PROXY protocol section to mention mode flag and new docs link.
certstore/certstore_windows.go	Comment formatting adjustment.
certloader/jceks/jceks_test.go	Minor formatting cleanup in tests.
certloader/decode_test.go	Minor formatting cleanup in tests.
certloader/certstore_reload_test.go	Minor refactor/formatting cleanup in tests.
certloader/certstore_enabled_test.go	Removes trailing whitespace line.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.