|
|
|
@ -522,7 +522,7 @@ static int is_proxy_trusted(plugin_data *p, const char * const ip, size_t iplen)
|
|
|
|
|
static int is_connection_trusted(connection * const con, plugin_data *p)
|
|
|
|
|
{
|
|
|
|
|
if (p->conf.forward_all) return (1 == p->conf.forward_all);
|
|
|
|
|
return is_proxy_trusted(p, BUF_PTR_LEN(con->dst_addr_buf));
|
|
|
|
|
return is_proxy_trusted(p, BUF_PTR_LEN(&con->dst_addr_buf));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
@ -573,21 +573,22 @@ static int mod_extforward_set_addr(request_st * const r, plugin_data *p, const c
|
|
|
|
|
"-- mod_extforward_uri_handler already patched this connection, resetting state");
|
|
|
|
|
}
|
|
|
|
|
con->dst_addr = hctx->saved_remote_addr;
|
|
|
|
|
buffer_move(con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
buffer_move(&con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
con->plugin_ctx[p->id] = hctx = handler_ctx_init();
|
|
|
|
|
}
|
|
|
|
|
/* save old address */
|
|
|
|
|
if (extforward_check_proxy) {
|
|
|
|
|
http_header_env_set(r, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), BUF_PTR_LEN(con->dst_addr_buf));
|
|
|
|
|
http_header_env_set(r, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"),
|
|
|
|
|
BUF_PTR_LEN(&con->dst_addr_buf));
|
|
|
|
|
}
|
|
|
|
|
hctx->request_count = con->request_count;
|
|
|
|
|
hctx->saved_remote_addr = con->dst_addr;
|
|
|
|
|
buffer_move(&hctx->saved_remote_addr_buf, con->dst_addr_buf);
|
|
|
|
|
buffer_move(&hctx->saved_remote_addr_buf, &con->dst_addr_buf);
|
|
|
|
|
/* patch connection address */
|
|
|
|
|
con->dst_addr = sock;
|
|
|
|
|
buffer_copy_string_len(con->dst_addr_buf, addr, addrlen);
|
|
|
|
|
buffer_copy_string_len(&con->dst_addr_buf, addr, addrlen);
|
|
|
|
|
|
|
|
|
|
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
|
|
|
|
|
config_cond_cache_reset_item(r, COMP_HTTP_REMOTE_IP);
|
|
|
|
@ -1109,7 +1110,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
|
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__,
|
|
|
|
|
"no forward header found or "
|
|
|
|
|
"remote address %s is NOT a trusted proxy, skipping",
|
|
|
|
|
r->con->dst_addr_buf->ptr);
|
|
|
|
|
r->con->dst_addr_buf.ptr);
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
@ -1145,7 +1146,7 @@ REQUEST_FUNC(mod_extforward_restore) {
|
|
|
|
|
|
|
|
|
|
if (!buffer_is_unset(&hctx->saved_remote_addr_buf)) {
|
|
|
|
|
con->dst_addr = hctx->saved_remote_addr;
|
|
|
|
|
buffer_move(con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
buffer_move(&con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
|
|
|
|
|
config_cond_cache_reset_item(r, COMP_HTTP_REMOTE_IP);
|
|
|
|
|
}
|
|
|
|
@ -1169,7 +1170,7 @@ CONNECTION_FUNC(mod_extforward_handle_con_close)
|
|
|
|
|
}
|
|
|
|
|
if (!buffer_is_unset(&hctx->saved_remote_addr_buf)) {
|
|
|
|
|
con->dst_addr = hctx->saved_remote_addr;
|
|
|
|
|
buffer_move(con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
buffer_move(&con->dst_addr_buf, &hctx->saved_remote_addr_buf);
|
|
|
|
|
}
|
|
|
|
|
if (NULL != hctx->env) {
|
|
|
|
|
array_free(hctx->env);
|
|
|
|
@ -1201,7 +1202,7 @@ CONNECTION_FUNC(mod_extforward_handle_con_accept)
|
|
|
|
|
if (r->conf.log_request_handling) {
|
|
|
|
|
log_error(r->conf.errh, __FILE__, __LINE__,
|
|
|
|
|
"remote address %s is NOT a trusted proxy, skipping",
|
|
|
|
|
con->dst_addr_buf->ptr);
|
|
|
|
|
con->dst_addr_buf.ptr);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
@ -1485,7 +1486,7 @@ static int mod_extforward_hap_PROXY_v1 (connection * const con,
|
|
|
|
|
/* re-parse addr to string to normalize
|
|
|
|
|
* (instead of trusting PROXY to provide canonicalized src_addr string)
|
|
|
|
|
* (should prefer PROXY v2 protocol if concerned about performance) */
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(&con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
@ -1545,7 +1546,7 @@ static int mod_extforward_hap_PROXY_v2 (connection * const con,
|
|
|
|
|
case 0x11: /* TCPv4 */
|
|
|
|
|
sock_addr_assign(&con->dst_addr, AF_INET, hdr->v2.addr.ip4.src_port,
|
|
|
|
|
&hdr->v2.addr.ip4.src_addr);
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(&con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
#if 0
|
|
|
|
|
((struct sockaddr_in *)&by)->sin_family = AF_INET;
|
|
|
|
|
((struct sockaddr_in *)&by)->sin_addr.s_addr =
|
|
|
|
@ -1559,7 +1560,7 @@ static int mod_extforward_hap_PROXY_v2 (connection * const con,
|
|
|
|
|
case 0x21: /* TCPv6 */
|
|
|
|
|
sock_addr_assign(&con->dst_addr, AF_INET6, hdr->v2.addr.ip6.src_port,
|
|
|
|
|
&hdr->v2.addr.ip6.src_addr);
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
sock_addr_inet_ntop_copy_buffer(&con->dst_addr_buf, &con->dst_addr);
|
|
|
|
|
#if 0
|
|
|
|
|
((struct sockaddr_in6 *)&by)->sin6_family = AF_INET6;
|
|
|
|
|
memcpy(&((struct sockaddr_in6 *)&by)->sin6_addr,
|
|
|
|
@ -1578,7 +1579,7 @@ static int mod_extforward_hap_PROXY_v2 (connection * const con,
|
|
|
|
|
if (NULL == z) return -1; /* invalid addr; too long */
|
|
|
|
|
len = (uint32_t)(z - src_addr + 1); /*(+1 for '\0')*/
|
|
|
|
|
sock_addr_assign(&con->dst_addr, AF_UNIX, 0, src_addr);
|
|
|
|
|
buffer_copy_string_len(con->dst_addr_buf, src_addr, len);
|
|
|
|
|
buffer_copy_string_len(&con->dst_addr_buf, src_addr, len);
|
|
|
|
|
}
|
|
|
|
|
#if 0 /*(dst_addr should be identical to src_addr for AF_UNIX)*/
|
|
|
|
|
((struct sockaddr_un *)&by)->sun_family = AF_UNIX;
|
|
|
|
|