2016-03-19 15:14:35 +00:00
|
|
|
#include "first.h"
|
|
|
|
|
|
2009-10-11 14:31:42 +00:00
|
|
|
#include "base.h"
|
|
|
|
|
#include "log.h"
|
|
|
|
|
#include "buffer.h"
|
|
|
|
|
|
|
|
|
|
#include "plugin.h"
|
|
|
|
|
|
|
|
|
|
#include "configfile.h"
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2010-08-06 21:57:15 +00:00
|
|
|
#include <errno.h>
|
2007-02-19 21:05:59 +00:00
|
|
|
|
2017-03-28 06:08:55 +00:00
|
|
|
#include "sys-socket.h"
|
|
|
|
|
#ifndef _WIN32
|
|
|
|
|
#include <netdb.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
/**
|
|
|
|
|
* mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
|
|
|
|
|
* extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
|
2008-01-21 08:21:20 +00:00
|
|
|
* support chained proxies by glen@delfi.ee, #1528
|
2007-02-19 21:05:59 +00:00
|
|
|
*
|
|
|
|
|
* Config example:
|
|
|
|
|
*
|
|
|
|
|
* Trust proxy 10.0.0.232 and 10.0.0.232
|
|
|
|
|
* extforward.forwarder = ( "10.0.0.232" => "trust",
|
|
|
|
|
* "10.0.0.233" => "trust" )
|
|
|
|
|
*
|
|
|
|
|
* Trust all proxies (NOT RECOMMENDED!)
|
|
|
|
|
* extforward.forwarder = ( "all" => "trust")
|
|
|
|
|
*
|
|
|
|
|
* Note that "all" has precedence over specific entries,
|
|
|
|
|
* so "all except" setups will not work.
|
|
|
|
|
*
|
2008-01-21 08:21:20 +00:00
|
|
|
* In case you have chained proxies, you can add all their IP's to the
|
|
|
|
|
* config. However "all" has effect only on connecting IP, as the
|
|
|
|
|
* X-Forwarded-For header can not be trusted.
|
|
|
|
|
*
|
2007-02-19 21:05:59 +00:00
|
|
|
* Note: The effect of this module is variable on $HTTP["remotip"] directives and
|
|
|
|
|
* other module's remote ip dependent actions.
|
|
|
|
|
* Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
|
|
|
|
|
* Things done in between these two moments will match on the real client's IP.
|
|
|
|
|
* The moment things are done by a module depends on in which hook it does things and within the same hook
|
|
|
|
|
* on whether they are before/after us in the module loading order
|
|
|
|
|
* (order in the server.modules directive in the config file).
|
|
|
|
|
*
|
|
|
|
|
* Tested behaviours:
|
|
|
|
|
*
|
|
|
|
|
* mod_access: Will match on the real client.
|
|
|
|
|
*
|
|
|
|
|
* mod_accesslog:
|
|
|
|
|
* In order to see the "real" ip address in access log ,
|
|
|
|
|
* you'll have to load mod_extforward after mod_accesslog.
|
|
|
|
|
* like this:
|
|
|
|
|
*
|
|
|
|
|
* server.modules = (
|
|
|
|
|
* .....
|
|
|
|
|
* mod_accesslog,
|
|
|
|
|
* mod_extforward
|
|
|
|
|
* )
|
|
|
|
|
*
|
|
|
|
|
* Known issues:
|
|
|
|
|
* seems causing segfault with mod_ssl and $HTTP{"socket"} directives
|
|
|
|
|
* LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL.
|
|
|
|
|
*
|
|
|
|
|
* ChangeLog:
|
|
|
|
|
* 2005.12.19 Initial Version
|
|
|
|
|
* 2005.12.19 fixed conflict with conditional directives
|
|
|
|
|
* 2006.05.26 LEM: IPv6 support
|
|
|
|
|
* 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive.
|
|
|
|
|
* 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI
|
|
|
|
|
* In this manner, we run before mod_access and $HTTP["remoteip"] directives work!
|
|
|
|
|
* 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* plugin config for all request/connections */
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
array *forwarder;
|
2009-04-26 19:43:22 +00:00
|
|
|
array *headers;
|
2007-02-19 21:05:59 +00:00
|
|
|
} plugin_config;
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
PLUGIN_DATA;
|
|
|
|
|
|
|
|
|
|
plugin_config **config_storage;
|
|
|
|
|
|
|
|
|
|
plugin_config conf;
|
|
|
|
|
} plugin_data;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* context , used for restore remote ip */
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
sock_addr saved_remote_addr;
|
|
|
|
|
buffer *saved_remote_addr_buf;
|
|
|
|
|
} handler_ctx;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) {
|
|
|
|
|
handler_ctx * hctx;
|
|
|
|
|
hctx = calloc(1, sizeof(*hctx));
|
|
|
|
|
hctx->saved_remote_addr = oldaddr;
|
|
|
|
|
hctx->saved_remote_addr_buf = oldaddr_buf;
|
|
|
|
|
return hctx;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void handler_ctx_free(handler_ctx *hctx) {
|
|
|
|
|
free(hctx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* init the plugin data */
|
|
|
|
|
INIT_FUNC(mod_extforward_init) {
|
|
|
|
|
plugin_data *p;
|
|
|
|
|
p = calloc(1, sizeof(*p));
|
|
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* destroy the plugin data */
|
|
|
|
|
FREE_FUNC(mod_extforward_free) {
|
|
|
|
|
plugin_data *p = p_d;
|
|
|
|
|
|
|
|
|
|
UNUSED(srv);
|
|
|
|
|
|
|
|
|
|
if (!p) return HANDLER_GO_ON;
|
|
|
|
|
|
|
|
|
|
if (p->config_storage) {
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < srv->config_context->used; i++) {
|
|
|
|
|
plugin_config *s = p->config_storage[i];
|
|
|
|
|
|
2015-05-14 09:38:33 +00:00
|
|
|
if (NULL == s) continue;
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
array_free(s->forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
array_free(s->headers);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
|
}
|
|
|
|
|
free(p->config_storage);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
free(p);
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handle plugin config and check values */
|
|
|
|
|
|
|
|
|
|
SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
plugin_data *p = p_d;
|
|
|
|
|
size_t i = 0;
|
|
|
|
|
|
|
|
|
|
config_values_t cv[] = {
|
2009-04-26 19:43:22 +00:00
|
|
|
{ "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
|
|
|
|
|
{ "extforward.headers", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
|
2007-02-19 21:05:59 +00:00
|
|
|
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (!p) return HANDLER_ERROR;
|
|
|
|
|
|
2013-11-13 11:43:26 +00:00
|
|
|
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < srv->config_context->used; i++) {
|
2015-11-07 12:51:11 +00:00
|
|
|
data_config const* config = (data_config const*)srv->config_context->data[i];
|
2007-02-19 21:05:59 +00:00
|
|
|
plugin_config *s;
|
|
|
|
|
|
|
|
|
|
s = calloc(1, sizeof(plugin_config));
|
|
|
|
|
s->forwarder = array_init();
|
2009-04-26 19:43:22 +00:00
|
|
|
s->headers = array_init();
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
cv[0].destination = s->forwarder;
|
2009-04-26 19:43:22 +00:00
|
|
|
cv[1].destination = s->headers;
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
p->config_storage[i] = s;
|
|
|
|
|
|
2015-11-07 12:51:11 +00:00
|
|
|
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
|
2007-02-19 21:05:59 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
2017-03-05 20:39:45 +00:00
|
|
|
|
|
|
|
|
if (!array_is_kvstring(s->forwarder)) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"unexpected value for extforward.forwarder; expected list of \"IPaddr\" => \"trust\"");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!array_is_vlist(s->headers)) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"unexpected value for extforward.headers; expected list of \"headername\"");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define PATCH(x) \
|
|
|
|
|
p->conf.x = s->x;
|
|
|
|
|
static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) {
|
|
|
|
|
size_t i, j;
|
|
|
|
|
plugin_config *s = p->config_storage[0];
|
|
|
|
|
|
|
|
|
|
PATCH(forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
PATCH(headers);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
/* skip the first, the global context */
|
|
|
|
|
for (i = 1; i < srv->config_context->used; i++) {
|
|
|
|
|
data_config *dc = (data_config *)srv->config_context->data[i];
|
|
|
|
|
s = p->config_storage[i];
|
|
|
|
|
|
|
|
|
|
/* condition didn't match */
|
|
|
|
|
if (!config_check_cond(srv, con, dc)) continue;
|
|
|
|
|
|
|
|
|
|
/* merge config */
|
|
|
|
|
for (j = 0; j < dc->value->used; j++) {
|
|
|
|
|
data_unset *du = dc->value->data[j];
|
|
|
|
|
|
|
|
|
|
if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
|
|
|
|
|
PATCH(forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.headers"))) {
|
|
|
|
|
PATCH(headers);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#undef PATCH
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void put_string_into_array_len(array *ary, const char *str, int len)
|
|
|
|
|
{
|
|
|
|
|
data_string *tempdata;
|
|
|
|
|
if (len == 0)
|
|
|
|
|
return;
|
|
|
|
|
tempdata = data_string_init();
|
|
|
|
|
buffer_copy_string_len(tempdata->value,str,len);
|
|
|
|
|
array_insert_unique(ary,(data_unset *)tempdata);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
extract a forward array from the environment
|
|
|
|
|
*/
|
|
|
|
|
static array *extract_forward_array(buffer *pbuffer)
|
|
|
|
|
{
|
|
|
|
|
array *result = array_init();
|
2015-02-08 19:10:44 +00:00
|
|
|
if (!buffer_string_is_empty(pbuffer)) {
|
2007-02-19 21:05:59 +00:00
|
|
|
char *base, *curr;
|
|
|
|
|
/* state variable, 0 means not in string, 1 means in string */
|
|
|
|
|
int in_str = 0;
|
2008-01-21 08:21:20 +00:00
|
|
|
for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) {
|
2007-02-19 21:05:59 +00:00
|
|
|
if (in_str) {
|
2012-05-18 13:28:00 +00:00
|
|
|
if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
|
2007-02-19 21:05:59 +00:00
|
|
|
/* found an separator , insert value into result array */
|
2008-01-21 08:21:20 +00:00
|
|
|
put_string_into_array_len(result, base, curr - base);
|
2007-02-19 21:05:59 +00:00
|
|
|
/* change state to not in string */
|
|
|
|
|
in_str = 0;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2012-05-18 13:28:00 +00:00
|
|
|
if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
|
2007-02-19 21:05:59 +00:00
|
|
|
/* found leading char of an IP address, move base pointer and change state */
|
|
|
|
|
base = curr;
|
|
|
|
|
in_str = 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* if breaking out while in str, we got to the end of string, so add it */
|
2008-01-21 08:21:20 +00:00
|
|
|
if (in_str) {
|
|
|
|
|
put_string_into_array_len(result, base, curr - base);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define IP_TRUSTED 1
|
|
|
|
|
#define IP_UNTRUSTED 0
|
|
|
|
|
/*
|
2008-01-21 08:21:20 +00:00
|
|
|
* check whether ip is trusted, return 1 for trusted , 0 for untrusted
|
|
|
|
|
*/
|
2007-02-19 21:05:59 +00:00
|
|
|
static int is_proxy_trusted(const char *ipstr, plugin_data *p)
|
|
|
|
|
{
|
2008-01-21 08:21:20 +00:00
|
|
|
data_string* allds = (data_string *)array_get_element(p->conf.forwarder, "all");
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
if (allds) {
|
2008-01-21 08:21:20 +00:00
|
|
|
if (strcasecmp(allds->value->ptr, "trust") == 0) {
|
2007-02-19 21:05:59 +00:00
|
|
|
return IP_TRUSTED;
|
2008-01-21 08:21:20 +00:00
|
|
|
} else {
|
2007-02-19 21:05:59 +00:00
|
|
|
return IP_UNTRUSTED;
|
2008-01-21 08:21:20 +00:00
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
2008-01-21 08:21:20 +00:00
|
|
|
|
|
|
|
|
return (data_string *)array_get_element(p->conf.forwarder, ipstr) ? IP_TRUSTED : IP_UNTRUSTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Return char *ip of last address of proxy that is not trusted.
|
|
|
|
|
* Do not accept "all" keyword here.
|
|
|
|
|
*/
|
|
|
|
|
static const char *last_not_in_array(array *a, plugin_data *p)
|
|
|
|
|
{
|
|
|
|
|
array *forwarder = p->conf.forwarder;
|
2008-03-13 15:34:28 +00:00
|
|
|
int i;
|
2008-01-21 08:21:20 +00:00
|
|
|
|
2008-03-13 15:34:28 +00:00
|
|
|
for (i = a->used - 1; i >= 0; i--) {
|
2008-01-21 08:21:20 +00:00
|
|
|
data_string *ds = (data_string *)a->data[i];
|
|
|
|
|
const char *ip = ds->value->ptr;
|
|
|
|
|
|
|
|
|
|
if (!array_get_element(forwarder, ip)) {
|
|
|
|
|
return ip;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
2013-05-15 10:31:09 +00:00
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
static void ipstr_to_sockaddr(server *srv, const char *host, sock_addr *sock) {
|
|
|
|
|
struct addrinfo hints, *addrlist = NULL;
|
2009-04-26 19:43:22 +00:00
|
|
|
int result;
|
2007-04-10 08:47:30 +00:00
|
|
|
|
2009-04-26 19:43:22 +00:00
|
|
|
memset(&hints, 0, sizeof(hints));
|
2013-05-15 10:31:09 +00:00
|
|
|
sock->plain.sa_family = AF_UNSPEC;
|
|
|
|
|
|
2007-04-10 08:47:30 +00:00
|
|
|
#ifndef AI_NUMERICSERV
|
2009-04-26 19:43:22 +00:00
|
|
|
/**
|
|
|
|
|
* quoting $ man getaddrinfo
|
|
|
|
|
*
|
|
|
|
|
* NOTES
|
|
|
|
|
* AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED are available since glibc 2.3.3.
|
|
|
|
|
* AI_NUMERICSERV is available since glibc 2.3.4.
|
|
|
|
|
*/
|
2007-04-10 08:47:30 +00:00
|
|
|
#define AI_NUMERICSERV 0
|
|
|
|
|
#endif
|
2009-04-26 19:43:22 +00:00
|
|
|
hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
|
|
|
|
|
|
2010-08-06 21:57:15 +00:00
|
|
|
errno = 0;
|
2013-05-15 10:31:09 +00:00
|
|
|
result = getaddrinfo(host, NULL, &hints, &addrlist);
|
2009-04-26 19:43:22 +00:00
|
|
|
|
|
|
|
|
if (result != 0) {
|
2010-08-06 21:57:15 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "SSSs(S)",
|
2013-05-15 10:31:09 +00:00
|
|
|
"could not parse ip address ", host, " because ", gai_strerror(result), strerror(errno));
|
|
|
|
|
} else if (addrlist == NULL) {
|
2010-08-06 21:57:15 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "SSS",
|
2013-05-15 10:31:09 +00:00
|
|
|
"Problem in parsing ip address ", host, ": succeeded, but no information returned");
|
|
|
|
|
} else switch (addrlist->ai_family) {
|
|
|
|
|
case AF_INET:
|
|
|
|
|
memcpy(&sock->ipv4, addrlist->ai_addr, sizeof(sock->ipv4));
|
2014-02-16 13:08:20 +00:00
|
|
|
force_assert(AF_INET == sock->plain.sa_family);
|
2013-05-15 10:31:09 +00:00
|
|
|
break;
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
memcpy(&sock->ipv6, addrlist->ai_addr, sizeof(sock->ipv6));
|
2014-02-16 13:08:20 +00:00
|
|
|
force_assert(AF_INET6 == sock->plain.sa_family);
|
2013-05-15 10:31:09 +00:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "SSS",
|
|
|
|
|
"Problem in parsing ip address ", host, ": succeeded, but unknown family");
|
2009-04-26 19:43:22 +00:00
|
|
|
}
|
|
|
|
|
|
2013-05-15 10:31:09 +00:00
|
|
|
freeaddrinfo(addrlist);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
2013-05-15 10:31:09 +00:00
|
|
|
#endif
|
2007-02-19 21:05:59 +00:00
|
|
|
|
2007-08-18 09:43:35 +00:00
|
|
|
static void clean_cond_cache(server *srv, connection *con) {
|
2008-03-02 12:59:18 +00:00
|
|
|
config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
|
2016-04-13 04:17:46 +00:00
|
|
|
config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
URIHANDLER_FUNC(mod_extforward_uri_handler) {
|
|
|
|
|
plugin_data *p = p_d;
|
|
|
|
|
data_string *forwarded = NULL;
|
2007-04-10 08:47:30 +00:00
|
|
|
array *forward_array = NULL;
|
2008-01-21 08:21:20 +00:00
|
|
|
const char *real_remote_addr = NULL;
|
2007-04-10 08:47:30 +00:00
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
mod_extforward_patch_connection(srv, con, p);
|
|
|
|
|
|
2007-04-10 08:47:30 +00:00
|
|
|
if (con->conf.log_request_handling) {
|
2009-04-26 19:43:22 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"-- mod_extforward_uri_handler called");
|
2007-04-10 08:47:30 +00:00
|
|
|
}
|
|
|
|
|
|
2009-04-26 19:43:22 +00:00
|
|
|
if (p->conf.headers->used) {
|
|
|
|
|
data_string *ds;
|
|
|
|
|
size_t k;
|
|
|
|
|
|
|
|
|
|
for(k = 0; k < p->conf.headers->used; k++) {
|
|
|
|
|
ds = (data_string *) p->conf.headers->data[k];
|
|
|
|
|
if (NULL != (forwarded = (data_string*) array_get_element(con->request.headers, ds->value->ptr))) break;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For");
|
|
|
|
|
if (NULL == forwarded) forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For");
|
|
|
|
|
}
|
2007-04-10 08:47:30 +00:00
|
|
|
|
2009-04-26 19:43:22 +00:00
|
|
|
if (NULL == forwarded) {
|
2007-04-10 08:47:30 +00:00
|
|
|
if (con->conf.log_request_handling) {
|
2009-04-26 19:43:22 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s", "no forward header found, skipping");
|
2007-04-10 08:47:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
|
2008-01-21 08:21:20 +00:00
|
|
|
/* if the remote ip itself is not trusted, then do nothing */
|
2017-03-24 01:52:39 +00:00
|
|
|
if (IP_UNTRUSTED == is_proxy_trusted(con->dst_addr_buf->ptr, p)) {
|
2007-04-10 08:47:30 +00:00
|
|
|
if (con->conf.log_request_handling) {
|
2017-03-24 01:52:39 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sbs",
|
|
|
|
|
"remote address", con->dst_addr_buf, "is NOT a trusted proxy, skipping");
|
2007-04-10 08:47:30 +00:00
|
|
|
}
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
return HANDLER_GO_ON;
|
2007-04-10 08:47:30 +00:00
|
|
|
}
|
|
|
|
|
|
2008-01-21 08:21:20 +00:00
|
|
|
/* build forward_array from forwarded data_string */
|
2007-04-10 08:47:30 +00:00
|
|
|
forward_array = extract_forward_array(forwarded->value);
|
2008-01-21 08:21:20 +00:00
|
|
|
real_remote_addr = last_not_in_array(forward_array, p);
|
2007-04-10 08:47:30 +00:00
|
|
|
|
|
|
|
|
if (real_remote_addr != NULL) { /* parsed */
|
|
|
|
|
sock_addr sock;
|
2008-01-21 08:21:20 +00:00
|
|
|
data_string *forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto");
|
2016-11-24 14:23:13 +00:00
|
|
|
sock.plain.sa_family = AF_UNSPEC;
|
2008-01-18 09:07:54 +00:00
|
|
|
|
2013-07-31 20:23:21 +00:00
|
|
|
if (NULL != forwarded_proto) {
|
|
|
|
|
if (buffer_is_equal_caseless_string(forwarded_proto->value, CONST_STR_LEN("https"))) {
|
|
|
|
|
buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("https"));
|
|
|
|
|
} else if (buffer_is_equal_caseless_string(forwarded_proto->value, CONST_STR_LEN("http"))) {
|
|
|
|
|
buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("http"));
|
|
|
|
|
}
|
2008-01-21 08:21:20 +00:00
|
|
|
}
|
2007-04-10 08:47:30 +00:00
|
|
|
|
|
|
|
|
if (con->conf.log_request_handling) {
|
2013-07-31 20:23:21 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "using address:", real_remote_addr);
|
2007-04-10 08:47:30 +00:00
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
#ifdef HAVE_IPV6
|
2013-05-15 10:31:09 +00:00
|
|
|
ipstr_to_sockaddr(srv, real_remote_addr, &sock);
|
2007-02-19 21:05:59 +00:00
|
|
|
#else
|
2007-04-10 08:47:30 +00:00
|
|
|
sock.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr);
|
2007-04-10 09:26:20 +00:00
|
|
|
sock.plain.sa_family = (sock.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET;
|
2007-02-19 21:05:59 +00:00
|
|
|
#endif
|
2007-04-10 08:47:30 +00:00
|
|
|
if (sock.plain.sa_family != AF_UNSPEC) {
|
|
|
|
|
/* we found the remote address, modify current connection and save the old address */
|
|
|
|
|
if (con->plugin_ctx[p->id]) {
|
2015-07-05 16:48:27 +00:00
|
|
|
if (con->conf.log_request_handling) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"-- mod_extforward_uri_handler already patched this connection, resetting state");
|
|
|
|
|
}
|
2007-04-10 08:47:30 +00:00
|
|
|
handler_ctx_free(con->plugin_ctx[p->id]);
|
|
|
|
|
con->plugin_ctx[p->id] = NULL;
|
|
|
|
|
}
|
|
|
|
|
/* save old address */
|
|
|
|
|
con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf);
|
|
|
|
|
/* patch connection address */
|
|
|
|
|
con->dst_addr = sock;
|
|
|
|
|
con->dst_addr_buf = buffer_init();
|
|
|
|
|
buffer_copy_string(con->dst_addr_buf, real_remote_addr);
|
2015-07-05 16:48:27 +00:00
|
|
|
|
2007-04-10 08:47:30 +00:00
|
|
|
if (con->conf.log_request_handling) {
|
2009-04-26 19:43:22 +00:00
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss",
|
2007-04-10 08:47:30 +00:00
|
|
|
"patching con->dst_addr_buf for the accesslog:", real_remote_addr);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
2007-04-10 08:47:30 +00:00
|
|
|
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
|
|
|
|
|
clean_cond_cache(srv, con);
|
|
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
2008-01-21 08:21:20 +00:00
|
|
|
array_free(forward_array);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
/* not found */
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CONNECTION_FUNC(mod_extforward_restore) {
|
|
|
|
|
plugin_data *p = p_d;
|
2007-08-18 09:27:11 +00:00
|
|
|
handler_ctx *hctx = con->plugin_ctx[p->id];
|
|
|
|
|
|
|
|
|
|
if (!hctx) return HANDLER_GO_ON;
|
|
|
|
|
|
|
|
|
|
con->dst_addr = hctx->saved_remote_addr;
|
|
|
|
|
buffer_free(con->dst_addr_buf);
|
|
|
|
|
|
|
|
|
|
con->dst_addr_buf = hctx->saved_remote_addr_buf;
|
|
|
|
|
|
|
|
|
|
handler_ctx_free(hctx);
|
|
|
|
|
|
|
|
|
|
con->plugin_ctx[p->id] = NULL;
|
|
|
|
|
|
|
|
|
|
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
|
|
|
|
|
clean_cond_cache(srv, con);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* this function is called at dlopen() time and inits the callbacks */
|
|
|
|
|
|
2009-03-07 21:05:37 +00:00
|
|
|
int mod_extforward_plugin_init(plugin *p);
|
2007-02-19 21:05:59 +00:00
|
|
|
int mod_extforward_plugin_init(plugin *p) {
|
|
|
|
|
p->version = LIGHTTPD_VERSION_ID;
|
|
|
|
|
p->name = buffer_init_string("extforward");
|
|
|
|
|
|
|
|
|
|
p->init = mod_extforward_init;
|
|
|
|
|
p->handle_uri_raw = mod_extforward_uri_handler;
|
|
|
|
|
p->handle_request_done = mod_extforward_restore;
|
|
|
|
|
p->connection_reset = mod_extforward_restore;
|
|
|
|
|
p->set_defaults = mod_extforward_set_defaults;
|
|
|
|
|
p->cleanup = mod_extforward_free;
|
|
|
|
|
|
|
|
|
|
p->data = NULL;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
