[mod_extforward] save proto per connection

Even though request headers are per-request, update the proto on the connection level for trusted (proxy) clients. Note: the proxy must use each connection only for a single connection from a single client (typically true in practice), and not for multiple clients. proto was previously saved on connection level for mod_extforward with HAProxy PROXY protocol, but did not occur with X-Forwarded-Proto or the Forwarded request header with proto=... Before this change, modules which returned HANDLER_COMEBACK could lose HTTPS=on if the resulting request was for a backend such as mod_fastcgi. This was reported in mod_rewrite, but could also affect mod_magnet if MAGNET_RESTART_REQUEST, or mod_cgi with cgi.local-redir = "enable" x-ref: "FastCGI behavior different when using rewrite?" https://redmine.lighttpd.net/boards/2/topics/9293
2020-08-12 19:12:20 -04:00 · 2020-08-12 19:12:20 -04:00 · 0c7d250034
parent b600b75f20
commit 0c7d250034
1 changed files with 3 additions and 3 deletions
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@ -606,9 +606,11 @@ static void mod_extforward_set_proto(request_st * const r, const char * const pr
 			http_header_env_set(r, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(&r->uri.scheme));
 		}
 		if (buffer_eq_icase_ss(proto, protolen, CONST_STR_LEN("https"))) {
+	                r->con->proto_default_port = 443; /* "https" */
 			buffer_copy_string_len(&r->uri.scheme, CONST_STR_LEN("https"));
 			config_cond_cache_reset_item(r, COMP_HTTP_SCHEME);
 		} else if (buffer_eq_icase_ss(proto, protolen, CONST_STR_LEN("http"))) {
+	                r->con->proto_default_port = 80; /* "http" */
 			buffer_copy_string_len(&r->uri.scheme, CONST_STR_LEN("http"));
 			config_cond_cache_reset_item(r, COMP_HTTP_SCHEME);
 		}
@ -942,11 +944,9 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
                buffer_copy_string_len(r->http_host, s+v, vlen-v);
            }

-            int scheme_port =
-              buffer_eq_slen(&r->uri.scheme,CONST_STR_LEN("https")) ? 443 : 80;
            if (0 != http_request_host_policy(r->http_host,
                                              r->conf.http_parseopts,
-                                              scheme_port)) {
+                                              r->con->proto_default_port)) {
                /*(reject invalid chars in Host)*/
                log_error(r->conf.errh, __FILE__, __LINE__,
                  "invalid host= value in Forwarded header");