lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity

- add mod_extforward module from wiki

Browse Source 
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1665 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.14
Elan Ruusamäe 16 years ago
parent e61146a740
commit f68fd405f4
5 changed files with 594 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
configure.in
Unescape View File

@ -538,7 +538,7 @@ AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tests/Makefile \
AC_OUTPUT
do_build="mod_cgi mod_fastcgi mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming"
do_build="mod_cgi mod_fastcgi mod_extforward mod_proxy mod_evhost mod_simple_vhost mod_access mod_alias mod_setenv mod_usertrack mod_auth mod_status mod_accesslog mod_rrdtool mod_secdownload mod_expire mod_compress mod_dirlisting mod_indexfiles mod_userdir mod_webdav mod_staticfile mod_scgi mod_flv_streaming"
plugins="mod_rewrite mod_redirect mod_ssi mod_trigger_b4_dl"
features="regex-conditionals"

2
doc/Makefile.am
Unescape View File

@ -6,6 +6,7 @@ authentication.txt \
cgi.txt \
compress.txt \
configuration.txt \
extforward.txt \
fastcgi-state.txt \
fastcgi.txt \
features.txt \
@ -43,6 +44,7 @@ HTMLDOCS=accesslog.html \
cgi.html \
compress.html \
configuration.html \
extforward.html \
fastcgi-state.html \
fastcgi.html \
features.html \

96
doc/extforward.txt
Unescape View File

@ -0,0 +1,96 @@
==============
mod_extforward
==============
.. contents::
Overview
========
Comman Kang <comman.kang at gmail.com> sent me: ::
Hello jan.
I've made something rough but similar to mod_extract_forwarded for
Apache. This module will extract the client's "real" ip from
X-Forwarded-For header which is added by squid or other proxies. It might be
useful for servers behind reverse proxy servers.
However, this module is causing segfault with mod_ssl or
$HTTP{''socket"} directive, crashing in config_check_cond while patching
connection , I do not understand architecture of the lighttpd well, does it
need to call patch_connection in either handle_request_done and
connection_reset ?
Lionel Elie Mamane <lionel@mamane.lu> improved the patch: ::
I've taken lighttpd-1.4.10-mod_extforward.c from the wiki and I've
extended it. Here is the result.
Major changes:
- IPv6 support
- Fixed at least one segfault with SERVER['socket']
- Arrange things so that a url.access-deny under scope of a
HTTP['remoteip'] condition works well :)
I've commented the code in some places, mostly where I wasn't sure
what was going on, or I didn't see what the original author meant to
do.
Options
=======
extforward.forwarder
Sets trust level of proxy IP's.
Default: empty
Example: ::
extforward.forwarder = ("10.0.0.232" => "trust")
will translate ip addresses coming from 10.0.0.232 to real ip addresses extracted from X-Forwarded-For: HTTP request header.
Note
=======
The effect of this module is variable on $HTTP["remotip"] directives and other module's remote ip dependent actions.
Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
Things done in between these two moments will match on the real client's IP.
The moment things are done by a module depends on in which hook it does things and within the same hook
on whether they are before/after us in the module loading order
(order in the server.modules directive in the config file).
Tested behaviours:
mod_access: Will match on the real client.
mod_accesslog:
In order to see the "real" ip address in access log ,
you'll have to load mod_extforward after mod_accesslog.
like this: ::
server.modules = (
.....
mod_accesslog,
mod_extforward
)
Samples
=======
Trust proxy 10.0.0.232 and 10.0.0.232 ::
extforward.forwarder = (
"10.0.0.232" => "trust",
"10.0.0.233" => "trust",
)
Trust all proxies (NOT RECOMMENDED!) ::
extforward.forwarder = ( "all" => "trust")
Note that "all" has precedence over specific entries, so "all except" setups will not work.

5
src/Makefile.am
Unescape View File

@ -199,6 +199,11 @@ mod_fastcgi_la_SOURCES = mod_fastcgi.c
mod_fastcgi_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
mod_fastcgi_la_LIBADD = $(common_libadd)
lib_LTLIBRARIES += mod_extforward.la
mod_extforward_la_SOURCES = mod_extforward.c
mod_extforward_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
mod_extforward_la_LIBADD = $(common_libadd)
lib_LTLIBRARIES += mod_access.la
mod_access_la_SOURCES = mod_access.c
mod_access_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined

490
src/mod_extforward.c
Unescape View File

@ -0,0 +1,490 @@
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include "base.h"
#include "log.h"
#include "buffer.h"
#include "plugin.h"
#include "inet_ntop_cache.h"
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
/**
* mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
* extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
*
* Config example:
*
* Trust proxy 10.0.0.232 and 10.0.0.232
* extforward.forwarder = ( "10.0.0.232" => "trust",
* "10.0.0.233" => "trust" )
*
* Trust all proxies (NOT RECOMMENDED!)
* extforward.forwarder = ( "all" => "trust")
*
* Note that "all" has precedence over specific entries,
* so "all except" setups will not work.
*
* Note: The effect of this module is variable on $HTTP["remotip"] directives and
* other module's remote ip dependent actions.
* Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
* Things done in between these two moments will match on the real client's IP.
* The moment things are done by a module depends on in which hook it does things and within the same hook
* on whether they are before/after us in the module loading order
* (order in the server.modules directive in the config file).
*
* Tested behaviours:
*
* mod_access: Will match on the real client.
*
* mod_accesslog:
* In order to see the "real" ip address in access log ,
* you'll have to load mod_extforward after mod_accesslog.
* like this:
*
* server.modules = (
* .....
* mod_accesslog,
* mod_extforward
* )
*
* Known issues:
* seems causing segfault with mod_ssl and $HTTP{"socket"} directives
* LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL.
*
* ChangeLog:
* 2005.12.19 Initial Version
* 2005.12.19 fixed conflict with conditional directives
* 2006.05.26 LEM: IPv6 support
* 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive.
* 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI
* In this manner, we run before mod_access and $HTTP["remoteip"] directives work!
* 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change.
*/
/* plugin config for all request/connections */
typedef struct {
array *forwarder;
} plugin_config;
typedef struct {
PLUGIN_DATA;
plugin_config **config_storage;
plugin_config conf;
} plugin_data;
/* context , used for restore remote ip */
typedef struct {
sock_addr saved_remote_addr;
buffer *saved_remote_addr_buf;
} handler_ctx;
static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) {
handler_ctx * hctx;
hctx = calloc(1, sizeof(*hctx));
hctx->saved_remote_addr = oldaddr;
hctx->saved_remote_addr_buf = oldaddr_buf;
return hctx;
}
static void handler_ctx_free(handler_ctx *hctx) {
free(hctx);
}
/* init the plugin data */
INIT_FUNC(mod_extforward_init) {
plugin_data *p;
p = calloc(1, sizeof(*p));
return p;
}
/* destroy the plugin data */
FREE_FUNC(mod_extforward_free) {
plugin_data *p = p_d;
UNUSED(srv);
if (!p) return HANDLER_GO_ON;
if (p->config_storage) {
size_t i;
for (i = 0; i < srv->config_context->used; i++) {
plugin_config *s = p->config_storage[i];
if (!s) continue;
array_free(s->forwarder);
free(s);
}
free(p->config_storage);
}
free(p);
return HANDLER_GO_ON;
}
/* handle plugin config and check values */
SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
plugin_data *p = p_d;
size_t i = 0;
config_values_t cv[] = {
{ "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
if (!p) return HANDLER_ERROR;
p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
for (i = 0; i < srv->config_context->used; i++) {
plugin_config *s;
s = calloc(1, sizeof(plugin_config));
s->forwarder = array_init();
cv[0].destination = s->forwarder;
p->config_storage[i] = s;
if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) {
return HANDLER_ERROR;
}
}
return HANDLER_GO_ON;
}
#define PATCH(x) \
p->conf.x = s->x;
static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) {
size_t i, j;
plugin_config *s = p->config_storage[0];
PATCH(forwarder);
/* LEM: The purpose of this seems to match extforward configuration
stanzas that are not in the global context, but in some sub-context.
I fear this will break contexts of the form HTTP['remote'] = .
(in the form that they do not work with the real remote, but matching on
the proxy instead).
I'm not sure this this is all thread-safe. Is the p we are passed different
for each connection or is it global?
mod_fastcgi does the same, so it must be safe.
*/
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
data_config *dc = (data_config *)srv->config_context->data[i];
s = p->config_storage[i];
/* condition didn't match */
if (!config_check_cond(srv, con, dc)) continue;
/* merge config */
for (j = 0; j < dc->value->used; j++) {
data_unset *du = dc->value->data[j];
if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
PATCH(forwarder);
}
}
}
return 0;
}
#undef PATCH
static void put_string_into_array_len(array *ary, const char *str, int len)
{
data_string *tempdata;
if (len == 0)
return;
tempdata = data_string_init();
buffer_copy_string_len(tempdata->value,str,len);
array_insert_unique(ary,(data_unset *)tempdata);
}
/*
extract a forward array from the environment
*/
static array *extract_forward_array(buffer *pbuffer)
{
array *result = array_init();
if (pbuffer->used > 0) {
char *base, *curr;
/* state variable, 0 means not in string, 1 means in string */
int in_str = 0;
for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++)
{
if (in_str) {
if ( (*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' ) {
/* found an separator , insert value into result array */
put_string_into_array_len(result, base, curr-base);
/* change state to not in string */
in_str = 0;
}
} else {
if (*curr >= '0' && *curr <= '9')
{
/* found leading char of an IP address, move base pointer and change state */
base = curr;
in_str = 1;
}
}
}
/* if breaking out while in str, we got to the end of string, so add it */
if (in_str)
{
put_string_into_array_len(result, base, curr-base);
}
}
return result;
}
#define IP_TRUSTED 1
#define IP_UNTRUSTED 0
/*
check whether ip is trusted, return 1 for trusted , 0 for untrusted
*/
static int is_proxy_trusted(const char *ipstr, plugin_data *p)
{
data_string* allds = (data_string *) array_get_element(p->conf.forwarder,"all");
if (allds) {
if (strcasecmp(allds->value->ptr,"trust") == 0)
return IP_TRUSTED;
else
return IP_UNTRUSTED;
}
return (data_string *)array_get_element(p->conf.forwarder,ipstr) ? IP_TRUSTED : IP_UNTRUSTED ;
}
struct addrinfo *ipstr_to_sockaddr(const char *host)
{
struct addrinfo hints, *res0;
int result;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
result = getaddrinfo(host, NULL, &hints, &res0);
if ( result != 0 )
{
fprintf(stderr,"could not resolve hostname %s because %s\n", host,gai_strerror(result));
if (result == EAI_SYSTEM)
perror("The system error is ");
return NULL;
}
else
if (res0==0)
fprintf(stderr, "Problem in resolving hostname %s: succeeded, but no information returned\n", host);
return res0;
}
static void clean_cond_cache(server *srv, connection *con)
{
size_t i;
for (i = 0; i < srv->config_context->used; i++) {
data_config *dc = (data_config *)srv->config_context->data[i];
if (dc->comp == COMP_HTTP_REMOTEIP)
{
con->cond_cache[i].result = COND_RESULT_UNSET;
con->cond_cache[i].patterncount = 0;
}
}
}
URIHANDLER_FUNC(mod_extforward_uri_handler) {
plugin_data *p = p_d;
data_string *forwarded = NULL;
#ifdef HAVE_IPV6
char b2[INET6_ADDRSTRLEN + 1];
#endif
const char *s;
UNUSED(srv);
mod_extforward_patch_connection(srv, con, p);
/* log_error_write(srv, __FILE__, __LINE__,"s","mod_extforward_uri_handler called\n"); */
/* if the remote ip itself is not trusted , then do nothing */
#ifdef HAVE_IPV6
s = inet_ntop(con->dst_addr.plain.sa_family,
con->dst_addr.plain.sa_family == AF_INET6 ?
&(con->dst_addr.ipv6.sin6_addr) :
&(con->dst_addr.ipv4.sin_addr),
b2,
(sizeof b2) - 1);
#else
s = inet_ntoa(con->dst_addr.ipv4.sin_addr);
#endif
if (IP_UNTRUSTED == is_proxy_trusted (s, p) )
return HANDLER_GO_ON;
/* log_error_write(srv, __FILE__, __LINE__,"s","remote address is trusted proxy, go on\n");*/
if (con->request.headers &&
((forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For")) ||
(forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For"))))
{
/* log_error_write(srv, __FILE__, __LINE__,"s","found forwarded header\n");*/
/* found forwarded for header */
int i;
array *forward_array = extract_forward_array(forwarded->value);
char *real_remote_addr = NULL;
#ifdef HAVE_IPV6
struct addrinfo *addrlist = NULL;
#endif
/* Testing shows that multiple headers and multiple values in one header
come in _reverse_ order. So the first one we get is the last one in the request. */
for (i = forward_array->used - 1; i >= 0; i--)
{
data_string *ds = (data_string *) forward_array->data[i];
if (ds) {
/* log_error_write(srv, __FILE__, __LINE__,"ss","forward",ds->value->ptr); */
real_remote_addr = ds->value->ptr;
break;
/* LEM: What the hell is this about?
We test whether the forwarded for IP is trusted?
This looks like an ugly hack to handle multiple Forwarded-For's
and avoid those set to our proxies, or something like that.
My testing shows that reverse proxies add a new X-Forwarded-For header,
and we should thus take the last one, which is the first one we see.
The net result of the old code is that we use the first untrusted IP,
or if all are trusted, the last trusted IP.
That's crazy. So I've disabled this.
*/
/* check whether it is trusted */
/* if (IP_UNTRUSTED == is_proxy_trusted(ds->value->ptr,p) ) */
/* break; */
/* log_error_write(srv, __FILE__, __LINE__,"ss",ds->value->ptr," is trusted."); */
}
else {
/* bug ? bailing out here */
break;
}
}
if (real_remote_addr != NULL) /* parsed */
{
sock_addr s;
struct addrinfo *addrs_left;
/* log_error_write(srv, __FILE__, __LINE__,"ss","use forward",real_remote_addr); */
#ifdef HAVE_IPV6
addrlist = ipstr_to_sockaddr(real_remote_addr);
s.plain.sa_family = AF_UNSPEC;
for (addrs_left = addrlist; addrs_left != NULL;
addrs_left = addrs_left -> ai_next)
{
s.plain.sa_family = addrs_left->ai_family;
if ( s.plain.sa_family == AF_INET )
{
s.ipv4.sin_addr = ((struct sockaddr_in*)addrs_left->ai_addr)->sin_addr;
break;
}
else if ( s.plain.sa_family == AF_INET6 )
{
s.ipv6.sin6_addr = ((struct sockaddr_in6*)addrs_left->ai_addr)->sin6_addr;
break;
}
}
#else
s.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr);
s.plain.sa_family = (s.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET;
#endif
if (s.plain.sa_family != AF_UNSPEC)
{
/* we found the remote address, modify current connection and save the old address */
if (con->plugin_ctx[p->id]) {
log_error_write(srv, __FILE__, __LINE__,"patching an already patched connection!");
handler_ctx_free(con->plugin_ctx[p->id]);
con->plugin_ctx[p->id] = NULL;
}
/* save old address */
con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf);
/* patch connection address */
con->dst_addr = s;
con->dst_addr_buf = buffer_init();
buffer_copy_string(con->dst_addr_buf, real_remote_addr);
/* log_error_write(srv, __FILE__, __LINE__,"ss","Set dst_addr_buf to ", real_remote_addr); */
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
clean_cond_cache(srv, con);
}
#ifdef HAVE_IPV6
if (addrlist != NULL ) freeaddrinfo(addrlist);
#endif
}
array_free(forward_array);
}
/* not found */
return HANDLER_GO_ON;
}
CONNECTION_FUNC(mod_extforward_restore) {
plugin_data *p = p_d;
UNUSED(srv);
/* LEM: This seems completely unuseful, as we are not using
p->conf in this function. Furthermore, it brings a
segfault if one of the conditional configuration
blocks is "SERVER['socket'] == foo", because the
socket is not known yet in the srv/con structure.
*/
/* mod_extforward_patch_connection(srv, con, p); */
/* restore this connection's remote ip */
if (con->plugin_ctx[p->id]) {
handler_ctx *hctx = con->plugin_ctx[p->id];
con->dst_addr = hctx->saved_remote_addr;
buffer_free(con->dst_addr_buf);
con->dst_addr_buf = hctx->saved_remote_addr_buf;
/* log_error_write(srv, __FILE__, __LINE__,"s","LEM: Reset dst_addr_buf"); */
handler_ctx_free(hctx);
con->plugin_ctx[p->id] = NULL;
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
clean_cond_cache(srv, con);
}
return HANDLER_GO_ON;
}
/* this function is called at dlopen() time and inits the callbacks */
int mod_extforward_plugin_init(plugin *p) {
p->version = LIGHTTPD_VERSION_ID;
p->name = buffer_init_string("extforward");
p->init = mod_extforward_init;
p->handle_uri_raw = mod_extforward_uri_handler;
p->handle_request_done = mod_extforward_restore;
p->connection_reset = mod_extforward_restore;
p->set_defaults = mod_extforward_set_defaults;
p->cleanup = mod_extforward_free;
p->data = NULL;
return 0;
}
Write Preview
Loading…
Cancel
Save