summaryrefslogtreecommitdiff
path: root/data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c
diff options
context:
space:
mode:
Diffstat (limited to 'data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c')
-rw-r--r--data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c1645
1 files changed, 1645 insertions, 0 deletions
diff --git a/data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c b/data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c
new file mode 100644
index 000000000..152353141
--- /dev/null
+++ b/data/lighttpd/lighttpd-1.4.53/src/mod_extforward.c
@@ -0,0 +1,1645 @@
+#include "first.h"
+
+#include "base.h"
+#include "log.h"
+#include "buffer.h"
+#include "http_header.h"
+#include "request.h"
+#include "sock_addr.h"
+
+#include "plugin.h"
+
+#include "configfile.h"
+
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "sys-socket.h"
+
+/**
+ * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
+ * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
+ * support chained proxies by glen@delfi.ee, #1528
+ *
+ * Config example:
+ *
+ * Trust proxy 10.0.0.232 and 10.0.0.232
+ * extforward.forwarder = ( "10.0.0.232" => "trust",
+ * "10.0.0.233" => "trust" )
+ *
+ * Trust all proxies (NOT RECOMMENDED!)
+ * extforward.forwarder = ( "all" => "trust")
+ *
+ * Note that "all" has precedence over specific entries,
+ * so "all except" setups will not work.
+ *
+ * In case you have chained proxies, you can add all their IP's to the
+ * config. However "all" has effect only on connecting IP, as the
+ * X-Forwarded-For header can not be trusted.
+ *
+ * Note: The effect of this module is variable on $HTTP["remotip"] directives and
+ * other module's remote ip dependent actions.
+ * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
+ * Things done in between these two moments will match on the real client's IP.
+ * The moment things are done by a module depends on in which hook it does things and within the same hook
+ * on whether they are before/after us in the module loading order
+ * (order in the server.modules directive in the config file).
+ *
+ * Tested behaviours:
+ *
+ * mod_access: Will match on the real client.
+ *
+ * mod_accesslog:
+ * In order to see the "real" ip address in access log ,
+ * you'll have to load mod_extforward after mod_accesslog.
+ * like this:
+ *
+ * server.modules = (
+ * .....
+ * mod_accesslog,
+ * mod_extforward
+ * )
+ */
+
+
+/* plugin config for all request/connections */
+
+typedef enum {
+ PROXY_FORWARDED_NONE = 0x00,
+ PROXY_FORWARDED_FOR = 0x01,
+ PROXY_FORWARDED_PROTO = 0x02,
+ PROXY_FORWARDED_HOST = 0x04,
+ PROXY_FORWARDED_BY = 0x08,
+ PROXY_FORWARDED_REMOTE_USER = 0x10
+} proxy_forwarded_t;
+
+struct sock_addr_mask {
+ sock_addr addr;
+ int bits;
+};
+
+struct sock_addr_masks {
+ struct sock_addr_mask *addrs;
+ size_t used;
+ size_t sz;
+};
+
+typedef struct {
+ array *forwarder;
+ struct sock_addr_masks *forward_masks;
+ array *headers;
+ array *opts_params;
+ unsigned int opts;
+ unsigned short int hap_PROXY;
+ unsigned short int hap_PROXY_ssl_client_verify;
+ short int forward_all;
+} plugin_config;
+
+typedef struct {
+ PLUGIN_DATA;
+
+ plugin_config **config_storage;
+
+ plugin_config conf;
+} plugin_data;
+
+static plugin_data *mod_extforward_plugin_data_singleton;
+static int extforward_check_proxy;
+
+
+/* context , used for restore remote ip */
+
+typedef struct {
+ /* per-request state */
+ sock_addr saved_remote_addr;
+ buffer *saved_remote_addr_buf;
+
+ /* hap-PROXY protocol prior to receiving first request */
+ int(*saved_network_read)(server *, connection *, chunkqueue *, off_t);
+
+ /* connection-level state applied to requests in handle_request_env */
+ array *env;
+ int ssl_client_verify;
+} handler_ctx;
+
+
+static handler_ctx * handler_ctx_init(void) {
+ handler_ctx * hctx;
+ hctx = calloc(1, sizeof(*hctx));
+ return hctx;
+}
+
+static void handler_ctx_free(handler_ctx *hctx) {
+ free(hctx);
+}
+
+/* init the plugin data */
+INIT_FUNC(mod_extforward_init) {
+ plugin_data *p;
+ p = calloc(1, sizeof(*p));
+ mod_extforward_plugin_data_singleton = p;
+ return p;
+}
+
+/* destroy the plugin data */
+FREE_FUNC(mod_extforward_free) {
+ plugin_data *p = p_d;
+
+ UNUSED(srv);
+
+ if (!p) return HANDLER_GO_ON;
+
+ if (p->config_storage) {
+ size_t i;
+
+ for (i = 0; i < srv->config_context->used; i++) {
+ plugin_config *s = p->config_storage[i];
+
+ if (NULL == s) continue;
+
+ array_free(s->forwarder);
+ array_free(s->headers);
+ array_free(s->opts_params);
+
+ if (s->forward_masks) {
+ free(s->forward_masks->addrs);
+ free(s->forward_masks);
+ }
+
+ free(s);
+ }
+ free(p->config_storage);
+ }
+
+
+ free(p);
+
+ return HANDLER_GO_ON;
+}
+
+/* handle plugin config and check values */
+
+SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
+ plugin_data *p = p_d;
+ size_t i = 0;
+
+ config_values_t cv[] = {
+ { "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
+ { "extforward.headers", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
+ { "extforward.params", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
+ { "extforward.hap-PROXY", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
+ { "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
+ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
+ };
+
+ if (!p) return HANDLER_ERROR;
+
+ p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
+
+ for (i = 0; i < srv->config_context->used; i++) {
+ data_config const* config = (data_config const*)srv->config_context->data[i];
+ plugin_config *s;
+
+ s = calloc(1, sizeof(plugin_config));
+ s->forwarder = array_init();
+ s->headers = array_init();
+ s->opts_params = array_init();
+ s->opts = PROXY_FORWARDED_NONE;
+
+ cv[0].destination = s->forwarder;
+ cv[1].destination = s->headers;
+ cv[2].destination = s->opts_params;
+ cv[3].destination = &s->hap_PROXY;
+ cv[4].destination = &s->hap_PROXY_ssl_client_verify;
+
+ p->config_storage[i] = s;
+
+ if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
+ return HANDLER_ERROR;
+ }
+
+ if (!array_is_kvstring(s->forwarder)) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "unexpected value for extforward.forwarder; expected list of \"IPaddr\" => \"trust\"");
+ return HANDLER_ERROR;
+ }
+
+ if (array_get_element(config->value, "extforward.forwarder")) {
+ const data_string * const allds = (data_string *)array_get_element(s->forwarder, "all");
+ s->forward_all = (NULL == allds) ? 0 : (0 == strcasecmp(allds->value->ptr, "trust")) ? 1 : -1;
+ for (size_t j = 0; j < s->forwarder->used; ++j) {
+ data_string * const ds = (data_string *)s->forwarder->data[j];
+ char * const nm_slash = strchr(ds->key->ptr, '/');
+ if (0 != strcasecmp(ds->value->ptr, "trust")) {
+ if (0 != strcasecmp(ds->value->ptr, "untrusted")) {
+ log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: expect \"trust\", not \"", ds->key, "\" => \"", ds->value, "\"; treating as untrusted");
+ }
+ if (NULL != nm_slash) {
+ log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: untrusted CIDR masks are ignored (\"", ds->key, "\" => \"", ds->value, "\")");
+ }
+ buffer_clear(ds->value); /* empty is untrusted */
+ continue;
+ }
+ if (NULL != nm_slash) {
+ struct sock_addr_mask *sm;
+ char *err;
+ const int nm_bits = strtol(nm_slash + 1, &err, 10);
+ int rc;
+ if (*err || nm_bits <= 0) {
+ log_error_write(srv, __FILE__, __LINE__, "sbs", "ERROR: invalid netmask:", ds->key, err);
+ return HANDLER_ERROR;
+ }
+ if (NULL == s->forward_masks) {
+ s->forward_masks = calloc(1, sizeof(struct sock_addr_masks));
+ force_assert(s->forward_masks);
+ }
+ if (s->forward_masks->used == s->forward_masks->sz) {
+ s->forward_masks->sz += 2;
+ s->forward_masks->addrs = realloc(s->forward_masks->addrs, s->forward_masks->sz * sizeof(struct sock_addr_mask));
+ force_assert(s->forward_masks->addrs);
+ }
+ sm = s->forward_masks->addrs + s->forward_masks->used++;
+ sm->bits = nm_bits;
+ *nm_slash = '\0';
+ rc = sock_addr_from_str_numeric(srv, &sm->addr, ds->key->ptr);
+ *nm_slash = '/';
+ if (1 != rc) return HANDLER_ERROR;
+ buffer_clear(ds->value); /* empty is untrusted, e.g. if subnet (incorrectly) appears in X-Forwarded-For */
+ }
+ }
+ }
+
+ if (!array_is_vlist(s->headers)) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "unexpected value for extforward.headers; expected list of \"headername\"");
+ return HANDLER_ERROR;
+ }
+
+ /* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
+ if (!s->hap_PROXY && 0 == s->headers->used && (0 == i || NULL != array_get_element(config->value, "extforward.headers"))) {
+ array_insert_value(s->headers, CONST_STR_LEN("X-Forwarded-For"));
+ array_insert_value(s->headers, CONST_STR_LEN("Forwarded-For"));
+ }
+
+ if (!array_is_kvany(s->opts_params)) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "unexpected value for extforward.params; expected ( \"param\" => \"value\" )");
+ return HANDLER_ERROR;
+ }
+ for (size_t j = 0, used = s->opts_params->used; j < used; ++j) {
+ proxy_forwarded_t param;
+ data_unset *du = s->opts_params->data[j];
+ #if 0 /*("for" and "proto" historical behavior: always enabled)*/
+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("by"))) {
+ param = PROXY_FORWARDED_BY;
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("for"))) {
+ param = PROXY_FORWARDED_FOR;
+ } else
+ #endif
+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("host"))) {
+ param = PROXY_FORWARDED_HOST;
+ #if 0
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("proto"))) {
+ param = PROXY_FORWARDED_PROTO;
+ #endif
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("remote_user"))) {
+ param = PROXY_FORWARDED_REMOTE_USER;
+ } else {
+ log_error_write(srv, __FILE__, __LINE__, "sb",
+ "extforward.params keys must be one of: host, remote_user, but not:", du->key);
+ return HANDLER_ERROR;
+ }
+ if (du->type == TYPE_STRING) {
+ data_string *ds = (data_string *)du;
+ if (buffer_is_equal_string(ds->value, CONST_STR_LEN("enable"))) {
+ s->opts |= param;
+ } else if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("disable"))) {
+ log_error_write(srv, __FILE__, __LINE__, "sb",
+ "extforward.params values must be one of: 0, 1, enable, disable; error for key:", du->key);
+ return HANDLER_ERROR;
+ }
+ } else if (du->type == TYPE_INTEGER) {
+ data_integer *di = (data_integer *)du;
+ if (di->value) s->opts |= param;
+ } else {
+ log_error_write(srv, __FILE__, __LINE__, "sb",
+ "extforward.params values must be one of: 0, 1, enable, disable; error for key:", du->key);
+ return HANDLER_ERROR;
+ }
+ }
+ }
+
+ /* attempt to warn if mod_extforward is not last module loaded to hook
+ * handle_connection_accept. (Nice to have, but remove this check if
+ * it reaches too far into internals and prevents other code changes.)
+ * While it would be nice to check connection_handle_accept plugin slot
+ * to make sure mod_extforward is last, that info is private to plugin.c
+ * so merely warn if mod_openssl is loaded after mod_extforward, though
+ * future modules which hook connection_handle_accept might be missed.*/
+ for (i = 0; i < srv->config_context->used; ++i) {
+ plugin_config *s = p->config_storage[i];
+ if (s->hap_PROXY) {
+ size_t j;
+ for (j = 0; j < srv->srvconf.modules->used; ++j) {
+ data_string *ds = (data_string *)srv->srvconf.modules->data[j];
+ if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_extforward"))) {
+ break;
+ }
+ }
+ for (; j < srv->srvconf.modules->used; ++j) {
+ data_string *ds = (data_string *)srv->srvconf.modules->data[j];
+ if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_openssl"))) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
+ break;
+ }
+ }
+ break;
+ }
+ }
+
+ for (i = 0; i < srv->srvconf.modules->used; i++) {
+ data_string *ds = (data_string *)srv->srvconf.modules->data[i];
+ if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_proxy"))) {
+ extforward_check_proxy = 1;
+ break;
+ }
+ }
+
+ return HANDLER_GO_ON;
+}
+
+#define PATCH(x) \
+ p->conf.x = s->x;
+static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) {
+ size_t i, j;
+ plugin_config *s = p->config_storage[0];
+
+ PATCH(forwarder);
+ PATCH(forward_masks);
+ PATCH(headers);
+ PATCH(opts);
+ PATCH(hap_PROXY);
+ PATCH(hap_PROXY_ssl_client_verify);
+ PATCH(forward_all);
+
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+ data_config *dc = (data_config *)srv->config_context->data[i];
+ s = p->config_storage[i];
+
+ /* condition didn't match */
+ if (!config_check_cond(srv, con, dc)) continue;
+
+ /* merge config */
+ for (j = 0; j < dc->value->used; j++) {
+ data_unset *du = dc->value->data[j];
+
+ if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
+ PATCH(forwarder);
+ PATCH(forward_masks);
+ PATCH(forward_all);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.headers"))) {
+ PATCH(headers);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.params"))) {
+ PATCH(opts);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY"))) {
+ PATCH(hap_PROXY);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
+ PATCH(hap_PROXY_ssl_client_verify);
+ }
+ }
+ }
+
+ return 0;
+}
+#undef PATCH
+
+
+/*
+ extract a forward array from the environment
+*/
+static array *extract_forward_array(buffer *pbuffer)
+{
+ array *result = array_init();
+ if (!buffer_string_is_empty(pbuffer)) {
+ char *base, *curr;
+ /* state variable, 0 means not in string, 1 means in string */
+ int in_str = 0;
+ for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) {
+ if (in_str) {
+ if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
+ /* found an separator , insert value into result array */
+ array_insert_value(result, base, curr - base);
+ /* change state to not in string */
+ in_str = 0;
+ }
+ } else {
+ if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
+ /* found leading char of an IP address, move base pointer and change state */
+ base = curr;
+ in_str = 1;
+ }
+ }
+ }
+ /* if breaking out while in str, we got to the end of string, so add it */
+ if (in_str) {
+ array_insert_value(result, base, curr - base);
+ }
+ }
+ return result;
+}
+
+/*
+ * check whether ip is trusted, return 1 for trusted , 0 for untrusted
+ */
+static int is_proxy_trusted(plugin_data *p, const char * const ip, size_t iplen)
+{
+ data_string *ds =
+ (data_string *)array_get_element_klen(p->conf.forwarder, ip, iplen);
+ if (NULL != ds) return !buffer_string_is_empty(ds->value);
+
+ if (p->conf.forward_masks) {
+ const struct sock_addr_mask * const addrs =p->conf.forward_masks->addrs;
+ const size_t aused = p->conf.forward_masks->used;
+ sock_addr addr;
+ /* C funcs inet_aton(), inet_pton() require '\0'-terminated IP str */
+ char addrstr[64]; /*(larger than INET_ADDRSTRLEN and INET6_ADDRSTRLEN)*/
+ if (iplen >= sizeof(addrstr)) return 0;
+ memcpy(addrstr, ip, iplen);
+ addrstr[iplen] = '\0';
+
+ if (1 != sock_addr_inet_pton(&addr, addrstr, AF_INET, 0)
+ && 1 != sock_addr_inet_pton(&addr, addrstr, AF_INET6, 0)) return 0;
+
+ for (size_t i = 0; i < aused; ++i) {
+ if (sock_addr_is_addr_eq_bits(&addr, &addrs[i].addr, addrs[i].bits))
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+static int is_connection_trusted(connection * const con, plugin_data *p)
+{
+ if (p->conf.forward_all) return (1 == p->conf.forward_all);
+ return is_proxy_trusted(p, CONST_BUF_LEN(con->dst_addr_buf));
+}
+
+/*
+ * Return last address of proxy that is not trusted.
+ * Do not accept "all" keyword here.
+ */
+static const char *last_not_in_array(array *a, plugin_data *p)
+{
+ int i;
+
+ for (i = a->used - 1; i >= 0; i--) {
+ data_string *ds = (data_string *)a->data[i];
+ if (!is_proxy_trusted(p, CONST_BUF_LEN(ds->value))) {
+ return ds->value->ptr;
+ }
+ }
+ return NULL;
+}
+
+static int mod_extforward_set_addr(server *srv, connection *con, plugin_data *p, const char *addr) {
+ sock_addr sock;
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "using address:", addr);
+ }
+
+ sock.plain.sa_family = AF_UNSPEC;
+ if (1 != sock_addr_from_str_numeric(srv, &sock, addr)) return 0;
+ if (sock.plain.sa_family == AF_UNSPEC) return 0;
+
+ /* we found the remote address, modify current connection and save the old address */
+ if (hctx) {
+ if (hctx->saved_remote_addr_buf) {
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "-- mod_extforward_uri_handler already patched this connection, resetting state");
+ }
+ con->dst_addr = hctx->saved_remote_addr;
+ buffer_free(con->dst_addr_buf);
+ con->dst_addr_buf = hctx->saved_remote_addr_buf;
+ hctx->saved_remote_addr_buf = NULL;
+ }
+ } else {
+ con->plugin_ctx[p->id] = hctx = handler_ctx_init();
+ }
+ /* save old address */
+ if (extforward_check_proxy) {
+ http_header_env_set(con, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), CONST_BUF_LEN(con->dst_addr_buf));
+ }
+ hctx->saved_remote_addr = con->dst_addr;
+ hctx->saved_remote_addr_buf = con->dst_addr_buf;
+ /* patch connection address */
+ con->dst_addr = sock;
+ con->dst_addr_buf = buffer_init_string(addr);
+
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "ss",
+ "patching con->dst_addr_buf for the accesslog:", addr);
+ }
+
+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */
+ config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
+
+ return 1;
+}
+
+static void mod_extforward_set_proto(server *srv, connection *con, const char *proto, size_t protolen) {
+ if (0 != protolen && !buffer_is_equal_caseless_string(con->uri.scheme, proto, protolen)) {
+ /* update scheme if X-Forwarded-Proto is set
+ * Limitations:
+ * - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
+ * be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
+ * untrusted header must be checked to contain only alphanumeric characters, and to be a
+ * reasonable length, e.g. < 256 chars.
+ * - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
+ * con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
+ * handle_request_done hook, then should evaluate if that module should use the forwarded value
+ * (probably) or the original value.
+ */
+ if (extforward_check_proxy) {
+ http_header_env_set(con, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(con->uri.scheme));
+ }
+ if (0 == buffer_caseless_compare(proto, protolen, CONST_STR_LEN("https"))) {
+ buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("https"));
+ config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
+ } else if (0 == buffer_caseless_compare(proto, protolen, CONST_STR_LEN("http"))) {
+ buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("http"));
+ config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
+ }
+ }
+}
+
+static handler_t mod_extforward_X_Forwarded_For(server *srv, connection *con, plugin_data *p, buffer *x_forwarded_for) {
+ /* build forward_array from forwarded data_string */
+ array *forward_array = extract_forward_array(x_forwarded_for);
+ const char *real_remote_addr = last_not_in_array(forward_array, p);
+ if (real_remote_addr != NULL) { /* parsed */
+ /* get scheme if X-Forwarded-Proto is set
+ * Limitations:
+ * - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
+ * - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
+ * but the historical behavior of the code below only honored it if there was exactly one value
+ * (not done: walking backwards in X-Forwarded-Proto the same num of steps
+ * as in X-Forwarded-For to find proto set by last trusted proxy)
+ */
+ buffer *x_forwarded_proto = http_header_request_get(con, HTTP_HEADER_X_FORWARDED_PROTO, CONST_STR_LEN("X-Forwarded-Proto"));
+ if (mod_extforward_set_addr(srv, con, p, real_remote_addr) && NULL != x_forwarded_proto) {
+ mod_extforward_set_proto(srv, con, CONST_BUF_LEN(x_forwarded_proto));
+ }
+ }
+ array_free(forward_array);
+ return HANDLER_GO_ON;
+}
+
+static int find_end_quoted_string (const char * const s, int i) {
+ do {
+ ++i;
+ } while (s[i] != '"' && s[i] != '\0' && (s[i] != '\\' || s[++i] != '\0'));
+ return i;
+}
+
+static int find_next_semicolon_or_comma_or_eq (const char * const s, int i) {
+ for (; s[i] != '=' && s[i] != ';' && s[i] != ',' && s[i] != '\0'; ++i) {
+ if (s[i] == '"') {
+ i = find_end_quoted_string(s, i);
+ if (s[i] == '\0') return -1;
+ }
+ }
+ return i;
+}
+
+static int find_next_semicolon_or_comma (const char * const s, int i) {
+ for (; s[i] != ';' && s[i] != ',' && s[i] != '\0'; ++i) {
+ if (s[i] == '"') {
+ i = find_end_quoted_string(s, i);
+ if (s[i] == '\0') return -1;
+ }
+ }
+ return i;
+}
+
+static int buffer_backslash_unescape (buffer * const b) {
+ /* (future: might move to buffer.c) */
+ size_t j = 0;
+ size_t len = buffer_string_length(b);
+ char *p = memchr(b->ptr, '\\', len);
+
+ if (NULL == p) return 1; /*(nothing to do)*/
+
+ len -= (size_t)(p - b->ptr);
+ for (size_t i = 0; i < len; ++i) {
+ if (p[i] == '\\') {
+ if (++i == len) return 0; /*(invalid trailing backslash)*/
+ }
+ p[j++] = p[i];
+ }
+ buffer_string_set_length(b, (size_t)(p+j - b->ptr));
+ return 1;
+}
+
+static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_data *p, buffer *forwarded) {
+ /* HTTP list need not consist of param=value tokens,
+ * but this routine expect such for HTTP Forwarded header
+ * Since info in each set of params is only used if from
+ * admin-specified trusted proxy:
+ * - invalid param=value tokens are ignored and skipped
+ * - not checking "for" exists in each set of params
+ * - not checking for duplicated params in each set of params
+ * - not checking canonical form of addr (also might be obfuscated)
+ * - obfuscated tokens permitted in chain, though end of trust is expected
+ * to be non-obfuscated IP for mod_extforward to masquerade as remote IP
+ * future: since (potentially) trusted proxies begin at end of string,
+ * it might be better to parse from end of string rather than parsing from
+ * beginning. Doing so would also allow reducing arbitrary param limit
+ * to number of params permitted per proxy.
+ */
+ char * const s = forwarded->ptr;
+ int i = 0, j = -1, v, vlen, k, klen;
+ int used = (int)buffer_string_length(forwarded);
+ int ofor = -1, oproto, ohost, oby, oremote_user;
+ int offsets[256];/*(~50 params is more than reasonably expected to handle)*/
+ while (i < used) {
+ while (s[i] == ' ' || s[i] == '\t') ++i;
+ if (s[i] == ';') { ++i; continue; }
+ if (s[i] == ',') {
+ if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
+ offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+ ++i;
+ continue;
+ }
+ if (s[i] == '\0') break;
+
+ k = i;
+ i = find_next_semicolon_or_comma_or_eq(s, i);
+ if (i < 0) {
+ /*(reject IP spoofing if attacker sets improper quoted-string)*/
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "invalid quoted-string in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+ if (s[i] != '=') continue;
+ klen = i - k;
+ v = ++i;
+ i = find_next_semicolon_or_comma(s, i);
+ if (i < 0) {
+ /*(reject IP spoofing if attacker sets improper quoted-string)*/
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "invalid quoted-string in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+ vlen = i - v; /* might be 0 */
+
+ /* have k, klen, v, vlen
+ * (might contain quoted string) (contents not validated or decoded)
+ * (might be repeated k)
+ */
+ if (0 == klen) continue; /* invalid k */
+ if (j >= (int)(sizeof(offsets)/sizeof(int))-4) break;
+ offsets[j+1] = k;
+ offsets[j+2] = klen;
+ offsets[j+3] = v;
+ offsets[j+4] = vlen;
+ j += 4;
+ }
+
+ if (j >= (int)(sizeof(offsets)/sizeof(int))-4) {
+ /* error processing Forwarded; too many params; fail closed */
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "Too many params in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+
+ if (-1 == j) return HANDLER_GO_ON; /* make no changes */
+ used = j+1;
+ offsets[used] = -1; /* mark end of last set of params */
+
+ while (j >= 4) { /*(param=value pairs)*/
+ if (-1 == offsets[j]) { --j; continue; }
+ do {
+ j -= 3; /*(k, klen, v, vlen come in sets of 4)*/
+ } while ((3 != offsets[j+1] /* 3 == sizeof("for")-1 */
+ || 0 != buffer_caseless_compare(s+offsets[j], 3, "for", 3))
+ && 0 != j-- && -1 != offsets[j]);
+ if (j < 0) break;
+ if (-1 == offsets[j]) { --j; continue; }
+
+ /* remove trailing spaces/tabs and double-quotes from string
+ * (note: not unescaping backslash escapes in quoted string) */
+ v = offsets[j+2];
+ vlen = v + offsets[j+3];
+ while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
+ if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') {
+ offsets[j+2] = ++v;
+ --vlen;
+ if (s[v] == '[') {
+ /* remove "[]" surrounding IPv6, as well as (optional) port
+ * (assumes properly formatted IPv6 addr from trusted proxy) */
+ ++v;
+ do { --vlen; } while (vlen > v && s[vlen] != ']');
+ if (v == vlen) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "Invalid IPv6 addr in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+ }
+ else if (s[v] != '_' && s[v] != '/' && s[v] != 'u') {
+ /* remove (optional) port from non-obfuscated IPv4 */
+ for (klen=vlen, vlen=v; vlen < klen && s[vlen] != ':'; ++vlen) ;
+ }
+ offsets[j+2] = v;
+ }
+ offsets[j+3] = vlen - v;
+
+ /* obfuscated ipstr and obfuscated port are also accepted here, as
+ * is path to unix domain socket, but note that backslash escapes
+ * in quoted-string were not unescaped above. Also, if obfuscated
+ * identifiers are rotated by proxies as recommended by RFC, then
+ * maintaining list of trusted identifiers is non-trivial and is not
+ * attempted by this module. */
+
+ if (v != vlen) {
+ int trusted = is_proxy_trusted(p, s+v, vlen-v);
+
+ if (s[v] != '_' && s[v] != '/'
+ && (7 != (vlen - v) || 0 != memcmp(s+v, "unknown", 7))) {
+ ofor = j; /* save most recent non-obfuscated ipstr */
+ }
+
+ if (!trusted) break;
+ }
+
+ do { --j; } while (j > 0 && -1 != offsets[j]);
+ if (j <= 0) break;
+ --j;
+ }
+
+ if (-1 != ofor) {
+ /* C funcs getaddrinfo(), inet_addr() require '\0'-terminated IP str */
+ char *ipend = s+offsets[ofor+2]+offsets[ofor+3];
+ char c = *ipend;
+ int rc;
+ *ipend = '\0';
+ rc = mod_extforward_set_addr(srv, con, p, s+offsets[ofor+2]);
+ *ipend = c;
+ if (!rc) return HANDLER_GO_ON; /* invalid addr; make no changes */
+ }
+ else {
+ return HANDLER_GO_ON; /* make no changes */
+ }
+
+ /* parse out params associated with for=<ip> addr set above */
+ oproto = ohost = oby = oremote_user = -1;
+ j = ofor;
+ if (j > 0) { do { --j; } while (j > 0 && -1 != offsets[j]); }
+ if (-1 == offsets[j]) ++j;
+ if (j == ofor) j += 4;
+ for (; -1 != offsets[j]; j+=4) { /*(k, klen, v, vlen come in sets of 4)*/
+ switch (offsets[j+1]) {
+ #if 0
+ case 2:
+ if (0 == buffer_caseless_compare(s+offsets[j],2,"by",2))
+ oby = j;
+ break;
+ #endif
+ #if 0
+ /*(already handled above to find IP prior to earliest trusted proxy)*/
+ case 3:
+ if (0 == buffer_caseless_compare(s+offsets[j],3,"for",3))
+ ofor = j;
+ break;
+ #endif
+ case 4:
+ if (0 == buffer_caseless_compare(s+offsets[j],4,"host",4))
+ ohost = j;
+ break;
+ case 5:
+ if (0 == buffer_caseless_compare(s+offsets[j],5,"proto",5))
+ oproto = j;
+ break;
+ case 11:
+ if (0 == buffer_caseless_compare(s+offsets[j],11,"remote_user",11))
+ oremote_user = j;
+ break;
+ default:
+ break;
+ }
+ }
+ i = ++j;
+
+ if (-1 != oproto) {
+ /* remove trailing spaces/tabs, and double-quotes from proto
+ * (note: not unescaping backslash escapes in quoted string) */
+ v = offsets[oproto+2];
+ vlen = v + offsets[oproto+3];
+ while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
+ if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') { ++v; --vlen; }
+ mod_extforward_set_proto(srv, con, s+v, vlen-v);
+ }
+
+ if (p->conf.opts & PROXY_FORWARDED_HOST) {
+ /* Limitations:
+ * - con->request.http_host is not reset in mod_extforward_restore()
+ * but is currently not an issues since con->request.http_host will be
+ * reset by next request. If a new module uses con->request.http_host
+ * in the handle_request_done hook, then should evaluate if that
+ * module should use the forwarded value (probably) or original value.
+ * - due to need to decode and unescape host=..., some extra work is
+ * done in the case where host matches current Host header.
+ * future: might add code to check if Host has actually changed or not
+ *
+ * note: change host after mod_extforward_set_proto() since that may
+ * affect scheme port used in http_request_host_policy() host
+ * normalization
+ */
+
+ /* find host param set by earliest trusted proxy in proxy chain
+ * (host might be changed anywhere along the chain) */
+ for (j = i; j < used && -1 == ohost; ) {
+ if (-1 == offsets[j]) { ++j; continue; }
+ if (4 == offsets[j+1]
+ && 0 == buffer_caseless_compare(s+offsets[j], 4, "host", 4))
+ ohost = j;
+ j += 4; /*(k, klen, v, vlen come in sets of 4)*/
+ }
+ if (-1 != ohost) {
+ if (extforward_check_proxy
+ && !buffer_string_is_empty(con->request.http_host)) {
+ http_header_env_set(con,
+ CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_HOST"),
+ CONST_BUF_LEN(con->request.http_host));
+ }
+ /* remove trailing spaces/tabs, and double-quotes from host */
+ v = offsets[ohost+2];
+ vlen = v + offsets[ohost+3];
+ while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
+ if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') {
+ ++v; --vlen;
+ buffer_copy_string_len(con->request.http_host, s+v, vlen-v);
+ if (!buffer_backslash_unescape(con->request.http_host)) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "invalid host= value in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+ }
+ else {
+ buffer_copy_string_len(con->request.http_host, s+v, vlen-v);
+ }
+
+ if (0 != http_request_host_policy(con, con->request.http_host,
+ con->uri.scheme)) {
+ /*(reject invalid chars in Host)*/
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "invalid host= value in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+
+ config_cond_cache_reset_item(srv, con, COMP_HTTP_HOST);
+ }
+ }
+
+ if (p->conf.opts & PROXY_FORWARDED_REMOTE_USER) {
+ /* find remote_user param set by closest proxy
+ * (auth may have been handled by any trusted proxy in proxy chain) */
+ for (j = i; j < used; ) {
+ if (-1 == offsets[j]) { ++j; continue; }
+ if (11 == offsets[j+1]
+ && 0==buffer_caseless_compare(s+offsets[j],11,"remote_user",11))
+ oremote_user = j;
+ j += 4; /*(k, klen, v, vlen come in sets of 4)*/
+ }
+ if (-1 != oremote_user) {
+ /* ???: should we also support param for auth_type ??? */
+ /* remove trailing spaces/tabs, and double-quotes from remote_user*/
+ v = offsets[oremote_user+2];
+ vlen = v + offsets[oremote_user+3];
+ while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
+ if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') {
+ buffer *euser;
+ ++v; --vlen;
+ http_header_env_set(con,
+ CONST_STR_LEN("REMOTE_USER"), s+v, vlen-v);
+ euser = http_header_env_get(con, CONST_STR_LEN("REMOTE_USER"));
+ force_assert(NULL != euser);
+ if (!buffer_backslash_unescape(euser)) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "invalid remote_user= value in Forwarded header");
+ con->http_status = 400; /* Bad Request */
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
+ }
+ else {
+ http_header_env_set(con,
+ CONST_STR_LEN("REMOTE_USER"), s+v, vlen-v);
+ }
+ }
+ }
+
+ #if 0
+ if ((p->conf.opts & PROXY_FORWARDED_CREATE_XFF)
+ && NULL == http_header_request_get(con, HTTP_HEADER_X_FORWARDED_FOR, CONST_STR_LEN("X-Forwarded-For"))) {
+ /* create X-Forwarded-For if not present
+ * (and at least original connecting IP is a trusted proxy) */
+ buffer *xff = srv->tmp_buf;
+ buffer_clear(xff);
+ for (j = 0; j < used; ) {
+ if (-1 == offsets[j]) { ++j; continue; }
+ if (3 == offsets[j+1]
+ && 0 == buffer_caseless_compare(s+offsets[j], 3, "for", 3)) {
+ if (!buffer_string_is_empty(xff))
+ buffer_append_string_len(xff, CONST_STR_LEN(", "));
+ /* quoted-string, IPv6 brackets, and :port already removed */
+ v = offsets[j+2];
+ vlen = offsets[j+3];
+ buffer_append_string_len(xff, s+v, vlen);
+ if (s[v-1] != '=') { /*(must have been quoted-string)*/
+ char *x =
+ memchr(xff->ptr+buffer_string_length(xff)-vlen,'\\',vlen);
+ if (NULL != x) { /* backslash unescape in-place */
+ for (v = 0; x[v]; ++x) {
+ if (x[v] == '\\' && x[++v] == '\0')
+ break; /*(invalid trailing backslash)*/
+ *x = x[v];
+ }
+ buffer_string_set_length(xff, x - xff->ptr);
+ }
+ }
+ /* skip to next group; take first "for=..." in group
+ * (should be 0 or 1 "for=..." per group, but not trusted) */
+ do { j += 4; } while (-1 != offsets[j]);
+ ++j;
+ continue;
+ }
+ j += 4; /*(k, klen, v, vlen come in sets of 4)*/
+ }
+ http_header_request_set(con, HTTP_HEADER_X_FORWARDED_FOR, CONST_STR_LEN("X-Forwarded-For"), CONST_BUF_LEN(xff));
+ }
+ #endif
+
+ return HANDLER_GO_ON;
+}
+
+URIHANDLER_FUNC(mod_extforward_uri_handler) {
+ plugin_data *p = p_d;
+ buffer *forwarded = NULL;
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+ int is_forwarded_header = 0;
+
+ mod_extforward_patch_connection(srv, con, p);
+
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "s",
+ "-- mod_extforward_uri_handler called");
+ }
+
+ if (p->conf.hap_PROXY_ssl_client_verify) {
+ data_string *ds;
+ if (NULL != hctx && hctx->ssl_client_verify && NULL != hctx->env
+ && NULL != (ds = (data_string *)array_get_element(hctx->env, "SSL_CLIENT_S_DN_CN"))) {
+ http_header_env_set(con,
+ CONST_STR_LEN("SSL_CLIENT_VERIFY"),
+ CONST_STR_LEN("SUCCESS"));
+ http_header_env_set(con,
+ CONST_STR_LEN("REMOTE_USER"),
+ CONST_BUF_LEN(ds->value));
+ http_header_env_set(con,
+ CONST_STR_LEN("AUTH_TYPE"),
+ CONST_STR_LEN("SSL_CLIENT_VERIFY"));
+ } else {
+ http_header_env_set(con,
+ CONST_STR_LEN("SSL_CLIENT_VERIFY"),
+ CONST_STR_LEN("NONE"));
+ }
+ }
+
+ for (size_t k = 0; k < p->conf.headers->used && NULL == forwarded; ++k) {
+ buffer *hdr = ((data_string *)p->conf.headers->data[k])->value;
+ forwarded = http_header_request_get(con, HTTP_HEADER_UNSPECIFIED, CONST_BUF_LEN(hdr));
+ if (forwarded) {
+ is_forwarded_header = buffer_is_equal_caseless_string(hdr, CONST_STR_LEN("Forwarded"));
+ break;
+ }
+ }
+ if (NULL == forwarded) {
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "s", "no forward header found, skipping");
+ }
+
+ return HANDLER_GO_ON;
+ }
+
+ /* if the remote ip itself is not trusted, then do nothing */
+ if (!is_connection_trusted(con, p)) {
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "sbs",
+ "remote address", con->dst_addr_buf, "is NOT a trusted proxy, skipping");
+ }
+
+ return HANDLER_GO_ON;
+ }
+
+ if (is_forwarded_header) {
+ return mod_extforward_Forwarded(srv, con, p, forwarded);
+ }
+
+ return mod_extforward_X_Forwarded_For(srv, con, p, forwarded);
+}
+
+
+CONNECTION_FUNC(mod_extforward_handle_request_env) {
+ plugin_data *p = p_d;
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+ UNUSED(srv);
+ if (NULL == hctx || NULL == hctx->env) return HANDLER_GO_ON;
+ for (size_t i=0; i < hctx->env->used; ++i) {
+ /* note: replaces values which may have been set by mod_openssl
+ * (when mod_extforward is listed after mod_openssl in server.modules)*/
+ data_string *ds = (data_string *)hctx->env->data[i];
+ http_header_env_set(con,
+ CONST_BUF_LEN(ds->key), CONST_BUF_LEN(ds->value));
+ }
+ return HANDLER_GO_ON;
+}
+
+
+CONNECTION_FUNC(mod_extforward_restore) {
+ plugin_data *p = p_d;
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+
+ if (!hctx) return HANDLER_GO_ON;
+
+ if (NULL != hctx->saved_network_read) {
+ con->network_read = hctx->saved_network_read;
+ hctx->saved_network_read = NULL;
+ }
+
+ if (NULL != hctx->saved_remote_addr_buf) {
+ con->dst_addr = hctx->saved_remote_addr;
+ buffer_free(con->dst_addr_buf);
+ con->dst_addr_buf = hctx->saved_remote_addr_buf;
+ hctx->saved_remote_addr_buf = NULL;
+ /* Now, clean the conf_cond cache, because we may have changed the results of tests */
+ config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
+ }
+
+ if (NULL == hctx->env) {
+ handler_ctx_free(hctx);
+ con->plugin_ctx[p->id] = NULL;
+ }
+
+ return HANDLER_GO_ON;
+}
+
+
+CONNECTION_FUNC(mod_extforward_handle_con_close)
+{
+ plugin_data *p = p_d;
+ handler_ctx *hctx = con->plugin_ctx[p->id];
+ UNUSED(srv);
+ if (NULL != hctx) {
+ if (NULL != hctx->saved_network_read) {
+ con->network_read = hctx->saved_network_read;
+ }
+ if (NULL != hctx->saved_remote_addr_buf) {
+ con->dst_addr = hctx->saved_remote_addr;
+ buffer_free(con->dst_addr_buf);
+ con->dst_addr_buf = hctx->saved_remote_addr_buf;
+ }
+ if (NULL != hctx->env) {
+ array_free(hctx->env);
+ }
+ handler_ctx_free(hctx);
+ con->plugin_ctx[p->id] = NULL;
+ }
+
+ return HANDLER_GO_ON;
+}
+
+
+static int mod_extforward_network_read (server *srv, connection *con, chunkqueue *cq, off_t max_bytes);
+
+CONNECTION_FUNC(mod_extforward_handle_con_accept)
+{
+ plugin_data *p = p_d;
+ mod_extforward_patch_connection(srv, con, p);
+ if (!p->conf.hap_PROXY) return HANDLER_GO_ON;
+ if (is_connection_trusted(con, p)) {
+ handler_ctx *hctx = handler_ctx_init();
+ con->plugin_ctx[p->id] = hctx;
+ hctx->saved_network_read = con->network_read;
+ con->network_read = mod_extforward_network_read;
+ }
+ else {
+ if (con->conf.log_request_handling) {
+ log_error_write(srv, __FILE__, __LINE__, "sbs",
+ "remote address", con->dst_addr_buf,
+ "is NOT a trusted proxy, skipping");
+ }
+ }
+ return HANDLER_GO_ON;
+}
+
+
+/* this function is called at dlopen() time and inits the callbacks */
+
+int mod_extforward_plugin_init(plugin *p);
+int mod_extforward_plugin_init(plugin *p) {
+ p->version = LIGHTTPD_VERSION_ID;
+ p->name = buffer_init_string("extforward");
+
+ p->init = mod_extforward_init;
+ p->handle_connection_accept = mod_extforward_handle_con_accept;
+ p->handle_uri_raw = mod_extforward_uri_handler;
+ p->handle_request_env = mod_extforward_handle_request_env;
+ p->handle_request_done = mod_extforward_restore;
+ p->connection_reset = mod_extforward_restore;
+ p->handle_connection_close = mod_extforward_handle_con_close;
+ p->set_defaults = mod_extforward_set_defaults;
+ p->cleanup = mod_extforward_free;
+
+ p->data = NULL;
+
+ return 0;
+}
+
+
+
+
+/* Modified from:
+ * http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+ *
+9. Sample code
+
+The code below is an example of how a receiver may deal with both versions of
+the protocol header for TCP over IPv4 or IPv6. The function is supposed to be
+called upon a read event. Addresses may be directly copied into their final
+memory location since they're transported in network byte order. The sending
+side is even simpler and can easily be deduced from this sample code.
+ *
+ */
+
+union hap_PROXY_hdr {
+ struct {
+ char line[108];
+ } v1;
+ struct {
+ uint8_t sig[12];
+ uint8_t ver_cmd;
+ uint8_t fam;
+ uint16_t len;
+ union {
+ struct { /* for TCP/UDP over IPv4, len = 12 */
+ uint32_t src_addr;
+ uint32_t dst_addr;
+ uint16_t src_port;
+ uint16_t dst_port;
+ } ip4;
+ struct { /* for TCP/UDP over IPv6, len = 36 */
+ uint8_t src_addr[16];
+ uint8_t dst_addr[16];
+ uint16_t src_port;
+ uint16_t dst_port;
+ } ip6;
+ struct { /* for AF_UNIX sockets, len = 216 */
+ uint8_t src_addr[108];
+ uint8_t dst_addr[108];
+ } unx;
+ } addr;
+ } v2;
+};
+
+/*
+If the length specified in the PROXY protocol header indicates that additional
+bytes are part of the header beyond the address information, a receiver may
+choose to skip over and ignore those bytes, or attempt to interpret those
+bytes.
+
+The information in those bytes will be arranged in Type-Length-Value (TLV
+vectors) in the following format. The first byte is the Type of the vector.
+The second two bytes represent the length in bytes of the value (not included
+the Type and Length bytes), and following the length field is the number of
+bytes specified by the length.
+ */
+struct pp2_tlv {
+ uint8_t type;
+ uint8_t length_hi;
+ uint8_t length_lo;
+ /*uint8_t value[0];*//* C99 zero-length array */
+};
+
+/*
+The following types have already been registered for the <type> field :
+ */
+
+#define PP2_TYPE_ALPN 0x01
+#define PP2_TYPE_AUTHORITY 0x02
+#define PP2_TYPE_CRC32C 0x03
+#define PP2_TYPE_NOOP 0x04
+#define PP2_TYPE_SSL 0x20
+#define PP2_SUBTYPE_SSL_VERSION 0x21
+#define PP2_SUBTYPE_SSL_CN 0x22
+#define PP2_SUBTYPE_SSL_CIPHER 0x23
+#define PP2_SUBTYPE_SSL_SIG_ALG 0x24
+#define PP2_SUBTYPE_SSL_KEY_ALG 0x25
+#define PP2_TYPE_NETNS 0x30
+
+/*
+For the type PP2_TYPE_SSL, the value is itselv a defined like this :
+ */
+
+struct pp2_tlv_ssl {
+ uint8_t client;
+ uint32_t verify;
+ /*struct pp2_tlv sub_tlv[0];*//* C99 zero-length array */
+};
+
+/*
+And the <client> field is made of a bit field from the following values,
+indicating which element is present :
+ */
+
+#define PP2_CLIENT_SSL 0x01
+#define PP2_CLIENT_CERT_CONN 0x02
+#define PP2_CLIENT_CERT_SESS 0x04
+
+
+
+
+#ifndef MSG_DONTWAIT
+#define MSG_DONTWAIT 0
+#endif
+#ifndef MSG_NOSIGNAL
+#define MSG_NOSIGNAL 0
+#endif
+
+/* returns 0 if needs to poll, <0 upon error or >0 is protocol vers (success) */
+static int hap_PROXY_recv (const int fd, union hap_PROXY_hdr * const hdr, const int family, const int so_type)
+{
+ static const char v2sig[12] =
+ "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
+
+ ssize_t ret;
+ size_t sz;
+ int ver;
+
+ do {
+ ret = recv(fd, hdr, sizeof(*hdr), MSG_PEEK|MSG_DONTWAIT|MSG_NOSIGNAL);
+ } while (-1 == ret && errno == EINTR);
+
+ if (-1 == ret)
+ return (errno == EAGAIN
+ #ifdef EWOULDBLOCK
+ #if EAGAIN != EWOULDBLOCK
+ || errno == EWOULDBLOCK
+ #endif
+ #endif
+ ) ? 0 : -1;
+
+ if (ret >= 16 && 0 == memcmp(&hdr->v2, v2sig, 12)
+ && (hdr->v2.ver_cmd & 0xF0) == 0x20) {
+ ver = 2;
+ sz = 16 + (size_t)ntohs(hdr->v2.len);
+ if ((size_t)ret < sz)
+ return -2; /* truncated or too large header */
+
+ switch (hdr->v2.ver_cmd & 0xF) {
+ case 0x01: break; /* PROXY command */
+ case 0x00: break; /* LOCAL command */
+ default: return -2; /* not a supported command */
+ }
+ }
+ else if (ret >= 8 && 0 == memcmp(hdr->v1.line, "PROXY", 5)) {
+ const char *end = memchr(hdr->v1.line, '\r', ret - 1);
+ if (!end || end[1] != '\n')
+ return -2; /* partial or invalid header */
+ ver = 1;
+ sz = (size_t)(end + 2 - hdr->v1.line); /* skip header + CRLF */
+ }
+ else {
+ /* Wrong protocol */
+ return -2;
+ }
+
+ /* we need to consume the appropriate amount of data from the socket
+ * (overwrites existing contents of hdr with same data) */
+ UNUSED(family);
+ UNUSED(so_type);
+ do {
+ #if defined(MSG_TRUNC) && defined(__linux__)
+ if ((family==AF_INET || family==AF_INET6) && so_type == SOCK_STREAM) {
+ ret = recv(fd, hdr, sz, MSG_TRUNC|MSG_DONTWAIT|MSG_NOSIGNAL);
+ if (ret >= 0 || errno != EINVAL) continue;
+ }
+ #endif
+ ret = recv(fd, hdr, sz, MSG_DONTWAIT|MSG_NOSIGNAL);
+ } while (-1 == ret && errno == EINTR);
+ if (ret < 0) return -1;
+ if (ret != (ssize_t)sz) {
+ errno = EIO; /*(partial read; valid but unexpected; not handled)*/
+ return -1;
+ }
+ if (1 == ver) hdr->v1.line[sz-2] = '\0'; /*terminate str to ease parsing*/
+ return ver;
+}
+
+
+static int mod_extforward_hap_PROXY_v1 (connection * const con,
+ union hap_PROXY_hdr * const hdr)
+{
+ #ifdef __COVERITY__
+ __coverity_tainted_data_sink__(hdr);
+ #endif
+
+ /* samples
+ * "PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n"
+ * "PROXY TCP6 ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
+ * "PROXY UNKNOWN\r\n"
+ * "PROXY UNKNOWN ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
+ */
+ char *s = hdr->v1.line + sizeof("PROXY")-1; /*checked in hap_PROXY_recv()*/
+ char *src_addr, *dst_addr, *src_port, *dst_port, *e;
+ int family;
+ long src_lport, dst_lport;
+ if (*s != ' ') return -1;
+ ++s;
+ if (s[0] == 'T' && s[1] == 'C' && s[2] == 'P' && s[4] == ' ') {
+ if (s[3] == '4') {
+ family = AF_INET;
+ } else if (s[3] == '6') {
+ family = AF_INET6;
+ }
+ else {
+ return -1;
+ }
+ s += 5;
+ }
+ else if (0 == memcmp(s, "UNKNOWN", sizeof("UNKNOWN")-1)
+ && (s[7] == '\0' || s[7] == ' ')) {
+ return 0; /* keep local connection address */
+ }
+ else {
+ return -1;
+ }
+
+ /*(strsep() should be fairly portable, but is not standard)*/
+ src_addr = s;
+ dst_addr = strchr(src_addr, ' ');
+ if (NULL == dst_addr) return -1;
+ *dst_addr++ = '\0';
+ src_port = strchr(dst_addr, ' ');
+ if (NULL == src_port) return -1;
+ *src_port++ = '\0';
+ dst_port = strchr(src_port, ' ');
+ if (NULL == dst_port) return -1;
+ *dst_port++ = '\0';
+
+ src_lport = strtol(src_port, &e, 10);
+ if (src_lport <= 0 || src_lport > USHRT_MAX || *e != '\0') return -1;
+ dst_lport = strtol(dst_port, &e, 10);
+ if (dst_lport <= 0 || dst_lport > USHRT_MAX || *e != '\0') return -1;
+
+ if (1 != sock_addr_inet_pton(&con->dst_addr,
+ src_addr, family, (unsigned short)src_lport))
+ return -1;
+ /* Forwarded by=... could be saved here.
+ * (see additional comments in mod_extforward_hap_PROXY_v2()) */
+
+ /* re-parse addr to string to normalize
+ * (instead of trusting PROXY to provide canonicalized src_addr string)
+ * (should prefer PROXY v2 protocol if concerned about performance) */
+ sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
+
+ return 0;
+}
+
+
+static int mod_extforward_hap_PROXY_v2 (connection * const con,
+ union hap_PROXY_hdr * const hdr)
+{
+ #ifdef __COVERITY__
+ __coverity_tainted_data_sink__(hdr);
+ #endif
+
+ /* If HAProxy-PROXY protocol used, then lighttpd acts as transparent proxy,
+ * masquerading as servicing the client IP provided in by HAProxy-PROXY hdr.
+ * The connecting con->dst_addr and con->dst_addr_buf are not saved here,
+ * so that info is lost unless getsockname() and getpeername() are used.
+ * One result is that mod_proxy will use the masqueraded IP instead of the
+ * actual IP when updated Forwarded and X-Forwarded-For (but if actual
+ * connection IPs needed, better to save the info here rather than use
+ * syscalls to retrieve the info later).
+ * (Exception: con->dst_addr can be further changed if mod_extforward parses
+ * Forwaded or X-Forwarded-For request headers later, after request headers
+ * have been received.)
+ */
+
+ /* Forwarded by=... could be saved here. The by param is for backends to be
+ * able to construct URIs for that interface (interface on server which
+ * received request and made PROXY connection here), though that server
+ * should provide that information in updated Forwarded or X-Forwarded-For
+ * HTTP headers */
+ /*struct sockaddr_storage by;*/
+
+ /* Addresses provided by HAProxy-PROXY protocol are in network byte order.
+ * Note: addr info is not validated, so do not accept HAProxy-PROXY
+ * protocol from untrusted servers. For example, untrusted servers from
+ * which HAProxy-PROXY protocol is accepted (don't do that) could pretend
+ * to be from the internal network and might thereby bypass security policy.
+ */
+
+ /* (Clear con->dst_addr with memset() in case actual and proxies IPs
+ * are different domains, e.g. one is IPv4 and the other is IPv6) */
+
+ struct pp2_tlv *tlv;
+ uint32_t sz = ntohs(hdr->v2.len);
+ uint32_t len = 0;
+
+ switch (hdr->v2.ver_cmd & 0xF) {
+ case 0x01: break; /* PROXY command */
+ case 0x00: return 0;/* LOCAL command; keep local connection address */
+ default: return -1;/* should not happen; validated in hap_PROXY_recv()*/
+ }
+
+ /* PROXY command */
+
+ switch (hdr->v2.fam) {
+ case 0x11: /* TCPv4 */
+ sock_addr_assign(&con->dst_addr, AF_INET, hdr->v2.addr.ip4.src_port,
+ &hdr->v2.addr.ip4.src_addr);
+ sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
+ #if 0
+ ((struct sockaddr_in *)&by)->sin_family = AF_INET;
+ ((struct sockaddr_in *)&by)->sin_addr.s_addr =
+ hdr->v2.addr.ip4.dst_addr;
+ ((struct sockaddr_in *)&by)->sin_port =
+ hdr->v2.addr.ip4.dst_port;
+ #endif
+ len = (uint32_t)sizeof(hdr->v2.addr.ip4);
+ break;
+ #ifdef HAVE_IPV6
+ case 0x21: /* TCPv6 */
+ sock_addr_assign(&con->dst_addr, AF_INET6, hdr->v2.addr.ip6.src_port,
+ &hdr->v2.addr.ip6.src_addr);
+ sock_addr_inet_ntop_copy_buffer(con->dst_addr_buf, &con->dst_addr);
+ #if 0
+ ((struct sockaddr_in6 *)&by)->sin6_family = AF_INET6;
+ memcpy(&((struct sockaddr_in6 *)&by)->sin6_addr,
+ hdr->v2.addr.ip6.dst_addr, 16);
+ ((struct sockaddr_in6 *)&by)->sin6_port =
+ hdr->v2.addr.ip6.dst_port;
+ #endif
+ len = (uint32_t)sizeof(hdr->v2.addr.ip6);
+ break;
+ #endif
+ #ifdef HAVE_SYS_UN_H
+ case 0x31: /* UNIX domain socket */
+ {
+ char *src_addr = (char *)hdr->v2.addr.unx.src_addr;
+ char *z = memchr(src_addr, '\0', UNIX_PATH_MAX);
+ if (NULL == z) return -1; /* invalid addr; too long */
+ len = (uint32_t)(z - src_addr + 1); /*(+1 for '\0')*/
+ sock_addr_assign(&con->dst_addr, AF_UNIX, 0, src_addr);
+ buffer_copy_string_len(con->dst_addr_buf, src_addr, len);
+ }
+ #if 0 /*(dst_addr should be identical to src_addr for AF_UNIX)*/
+ ((struct sockaddr_un *)&by)->sun_family = AF_UNIX;
+ memcpy(&((struct sockaddr_un *)&by)->sun_path,
+ hdr->v2.addr.unx.dst_addr, 108);
+ #endif
+ len = (uint32_t)sizeof(hdr->v2.addr.unx);
+ break;
+ #endif
+ default: /* keep local connection address; unsupported protocol */
+ return 0;
+ }
+
+ /* (optional) Type-Length-Value (TLV vectors) follow addresses */
+
+ tlv = (struct pp2_tlv *)((char *)hdr + 16);
+ for (sz -= len, len -= 3; sz >= 3; sz -= 3 + len) {
+ tlv = (struct pp2_tlv *)((char *)tlv + 3 + len);
+ len = ((uint32_t)tlv->length_hi << 8) | tlv->length_lo;
+ if (3 + len > sz) break; /*(invalid TLV)*/
+ switch (tlv->type) {
+ #if 0 /*(not implemented here)*/
+ case PP2_TYPE_ALPN:
+ case PP2_TYPE_AUTHORITY:
+ case PP2_TYPE_CRC32C:
+ #endif
+ case PP2_TYPE_SSL: {
+ static const uint32_t zero = 0;
+ handler_ctx *hctx =
+ con->plugin_ctx[mod_extforward_plugin_data_singleton->id];
+ struct pp2_tlv_ssl *tlv_ssl =
+ (struct pp2_tlv_ssl *)(void *)((char *)tlv+3);
+ struct pp2_tlv *subtlv = tlv;
+ if (tlv_ssl->client & PP2_CLIENT_SSL) {
+ buffer_copy_string_len(con->proto, CONST_STR_LEN("https"));
+ }
+ if ((tlv_ssl->client & (PP2_CLIENT_CERT_CONN|PP2_CLIENT_CERT_SESS))
+ && 0 == memcmp(&tlv_ssl->verify, &zero, 4)) { /* misaligned */
+ hctx->ssl_client_verify = 1;
+ }
+ for (uint32_t subsz = len-5, n = 5; subsz >= 3; subsz -= 3 + n) {
+ subtlv = (struct pp2_tlv *)((char *)subtlv + 3 + n);
+ n = ((uint32_t)subtlv->length_hi << 8) | subtlv->length_lo;
+ if (3 + n > subsz) break; /*(invalid TLV)*/
+ if (NULL == hctx->env) hctx->env = array_init();
+ switch (subtlv->type) {
+ case PP2_SUBTYPE_SSL_VERSION:
+ array_set_key_value(hctx->env,
+ CONST_STR_LEN("SSL_PROTOCOL"),
+ (char *)subtlv+3, n);
+ break;
+ case PP2_SUBTYPE_SSL_CN:
+ /* (tlv_ssl->client & PP2_CLIENT_CERT_CONN)
+ * or
+ * (tlv_ssl->client & PP2_CLIENT_CERT_SESS) */
+ array_set_key_value(hctx->env,
+ CONST_STR_LEN("SSL_CLIENT_S_DN_CN"),
+ (char *)subtlv+3, n);
+ break;
+ case PP2_SUBTYPE_SSL_CIPHER:
+ array_set_key_value(hctx->env,
+ CONST_STR_LEN("SSL_CIPHER"),
+ (char *)subtlv+3, n);
+ break;
+ case PP2_SUBTYPE_SSL_SIG_ALG:
+ array_set_key_value(hctx->env,
+ CONST_STR_LEN("SSL_SERVER_A_SIG"),
+ (char *)subtlv+3, n);
+ break;
+ case PP2_SUBTYPE_SSL_KEY_ALG:
+ array_set_key_value(hctx->env,
+ CONST_STR_LEN("SSL_SERVER_A_KEY"),
+ (char *)subtlv+3, n);
+ break;
+ default:
+ break;
+ }
+ }
+ break;
+ }
+ #if 0 /*(not implemented here)*/
+ case PP2_TYPE_NETNS:
+ #endif
+ /*case PP2_TYPE_NOOP:*//* no-op */
+ default:
+ break;
+ }
+ }
+
+ return 0;
+}
+
+
+static int mod_extforward_network_read (server *srv, connection *con,
+ chunkqueue *cq, off_t max_bytes)
+{
+ /* XXX: when using hap-PROXY protocol, currently avoid overhead of setting
+ * _L_ environment variables for mod_proxy to accurately set Forwarded hdr
+ * In the future, might add config switch to enable doing this extra work */
+
+ union hap_PROXY_hdr hdr;
+ int rc = hap_PROXY_recv(con->fd, &hdr,
+ con->dst_addr.plain.sa_family, SOCK_STREAM);
+ switch (rc) {
+ case 2: rc = mod_extforward_hap_PROXY_v2(con, &hdr); break;
+ case 1: rc = mod_extforward_hap_PROXY_v1(con, &hdr); break;
+ case 0: return 0; /*(errno == EAGAIN || errno == EWOULDBLOCK)*/
+ case -1: log_error_write(srv, __FILE__, __LINE__, "ss",
+ "hap-PROXY recv()", strerror(errno));
+ rc = -1; break;
+ case -2: log_error_write(srv, __FILE__, __LINE__, "s",
+ "hap-PROXY proto received "
+ "invalid/unsupported request");
+ /* fall through */
+ default: rc = -1; break;
+ }
+
+ mod_extforward_restore(srv, con, mod_extforward_plugin_data_singleton);
+ return (0 == rc) ? con->network_read(srv, con, cq, max_bytes) : rc;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 07:07:02 +0000